Researchers have observed the JavaGhost threat actor group using phishing to targeting AWS environments. This group takes advantage of misconfigurations in the victim organizations’ environments that expose AWS credentials in the form of long-term access keys. More info from Palo Alto’s Unit 42 is available here: https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/
Jim Routh, Chief Trust Officer at cybersecurity company Saviynt had this to say:
“Cyber threat actors with sophisticated technical skills and solid business sense now know that maintaining persistence within enterprises using back doors with command and control capabilities is getting more difficult to sustain, due to improvements in endpoint monitoring and network-level behavioral analysis that comes with cybersecurity product maturity. As a byproduct, threat actors are doing what they do best: adjusting their tactics.
Threat actors know that compromising credentials is most effective to both penetrate enterprise cyber defenses and to operate within an enterprise to escalate privilege and obtain access to digital assets to monetize in various ways. Obtaining cloud-based credentials used in identity access management (IAM) services for IaaS providers offers sophisticated threat actors an opportunity to gain access to digital assets, while minimizing the probability of detection.
This news represents an acknowledgement by threat actors that cloud and IaaS account compromise continues to offer profitable opportunities for exploitation. Enterprises and the tech industry should look for different ways to more effectively manage IaaS and SaaS account configuration and management. The on-boarding of accounts for cloud-based services represents today a weakness that will continue to be exploited by sophisticated threat actors. Many enterprises struggle with the onboarding (registration, configuration) of cloud accounts due to backlogs for the many types of cloud accounts essential for meeting service levels for enterprise users. Enterprises need to get more creative in addressing the backlog and provide faster, more responsive onboarding for these accounts. Many established and mature IAM practices and processes were designed for managing access to systems within a proprietary data center. Providing effective IAM management for cloud accounts is a struggle for many enterprises that threat actors like JavaGhost are taking advantage of.”
Roger Grimes, data-driven defense evangelist at KnowBe4 follows with this:
“This is another example of how not doing the basics better can hurt you. When clouds really took over a decade ago, “experts’ worried about all the new cloud-specific attacks we would see and become accustomed to. But what has proven true over time is that the same things that plague us in on-premise environments for over 2-3 decades are still what plagues us in cloud environments. In this case, overly permissive permissions and social engineering. Social engineering is responsible for 70% – 90% of successful attacks. Overly permissive permissions is also a top threat (but surpassed also by vulnerability exploits and stolen credentials).
If you want to keep hackers and their malware creations out, concentrate on the long-time basics, not just as part of everything you are doing, but primarily what you are doing. If you’re not stopping social engineering, exploits against unpatched vulnerabilities, credential theft (79% of the time through social engineering), and misconfigurations, of which overly permissive permissions is one type, then you aren’t going to stop hackers. The only difference now is you need to learn how to do it in both on-premises and cloud environments. But the threats are the same.”
If your organization has any exposure to AWS, I’d set aside some time to read this report. Specifically the protections and mitigations section which should help to make you safer.
Related
This entry was posted on March 3, 2025 at 4:01 pm and is filed under Commentary with tags Palo Alto Networks. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
JavaGhost Uses Amazon IAM Permissions to Phish Organizations
Researchers have observed the JavaGhost threat actor group using phishing to targeting AWS environments. This group takes advantage of misconfigurations in the victim organizations’ environments that expose AWS credentials in the form of long-term access keys. More info from Palo Alto’s Unit 42 is available here: https://unit42.paloaltonetworks.com/javaghost-cloud-phishing/
Jim Routh, Chief Trust Officer at cybersecurity company Saviynt had this to say:
“Cyber threat actors with sophisticated technical skills and solid business sense now know that maintaining persistence within enterprises using back doors with command and control capabilities is getting more difficult to sustain, due to improvements in endpoint monitoring and network-level behavioral analysis that comes with cybersecurity product maturity. As a byproduct, threat actors are doing what they do best: adjusting their tactics.
Threat actors know that compromising credentials is most effective to both penetrate enterprise cyber defenses and to operate within an enterprise to escalate privilege and obtain access to digital assets to monetize in various ways. Obtaining cloud-based credentials used in identity access management (IAM) services for IaaS providers offers sophisticated threat actors an opportunity to gain access to digital assets, while minimizing the probability of detection.
This news represents an acknowledgement by threat actors that cloud and IaaS account compromise continues to offer profitable opportunities for exploitation. Enterprises and the tech industry should look for different ways to more effectively manage IaaS and SaaS account configuration and management. The on-boarding of accounts for cloud-based services represents today a weakness that will continue to be exploited by sophisticated threat actors. Many enterprises struggle with the onboarding (registration, configuration) of cloud accounts due to backlogs for the many types of cloud accounts essential for meeting service levels for enterprise users. Enterprises need to get more creative in addressing the backlog and provide faster, more responsive onboarding for these accounts. Many established and mature IAM practices and processes were designed for managing access to systems within a proprietary data center. Providing effective IAM management for cloud accounts is a struggle for many enterprises that threat actors like JavaGhost are taking advantage of.”
Roger Grimes, data-driven defense evangelist at KnowBe4 follows with this:
“This is another example of how not doing the basics better can hurt you. When clouds really took over a decade ago, “experts’ worried about all the new cloud-specific attacks we would see and become accustomed to. But what has proven true over time is that the same things that plague us in on-premise environments for over 2-3 decades are still what plagues us in cloud environments. In this case, overly permissive permissions and social engineering. Social engineering is responsible for 70% – 90% of successful attacks. Overly permissive permissions is also a top threat (but surpassed also by vulnerability exploits and stolen credentials).
If you want to keep hackers and their malware creations out, concentrate on the long-time basics, not just as part of everything you are doing, but primarily what you are doing. If you’re not stopping social engineering, exploits against unpatched vulnerabilities, credential theft (79% of the time through social engineering), and misconfigurations, of which overly permissive permissions is one type, then you aren’t going to stop hackers. The only difference now is you need to learn how to do it in both on-premises and cloud environments. But the threats are the same.”
If your organization has any exposure to AWS, I’d set aside some time to read this report. Specifically the protections and mitigations section which should help to make you safer.
Share this:
Like this:
Related
This entry was posted on March 3, 2025 at 4:01 pm and is filed under Commentary with tags Palo Alto Networks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.