JavaGhost, a threat group tracked by Unit 42, has shifted from website defacement to targeting AWS environments through phishing and IAM abuse. The group exploits misconfigured AWS settings, using compromised credentials to gain access while evading detection by avoiding common API calls and leveraging Python urllib3. They manipulate AWS services like SES and WorkMail to build phishing infrastructure and create persistent IAM roles with attacker-controlled access. Their techniques include creating EC2 security groups labeled "Java_Ghost" and attempting to remove security constraints by enabling all AWS regions. To defend against such attacks, experts advise enforcing strict access controls, rotating credentials, and monitoring IAM activity for unusual behavior. Continue here.
