An employee received a phishing email aimed at stealing AWS login credentials, with a link that redirected to a credential harvesting page spoofing the AWS sign-in. The investigation uncovered indicators of compromise and emphasized AWS-security best practices to defend against similar campaigns. #AWS #consoleportaltech
Keypoints
- An employee received a phishing email targeting AWS credentials.
- The email contained a link that redirected to a credential harvesting page.
- The phishing domain was associated with known malware distribution.
- The phishing page was a visual clone of the legitimate AWS sign-in page.
- The investigation revealed multiple suspicious domains related to AWS phishing.
- Organizations should implement strong security measures to protect against phishing.
- Recommendations include disabling root logins, using MFA, and enabling cloud logging.
MITRE Techniques
- [T1566] Phishing – Threat actors send emails with links to credential harvesting pages. “Threat actors send emails with links to credential harvesting pages.”
- [T1003] Credential Dumping – Phishing attempts aim to collect user credentials for unauthorized access. “Phishing attempts aim to collect user credentials for unauthorized access.”
- [T1483] Domain Generation Algorithms – Use of various domains to evade detection and facilitate phishing attacks. “Use of various domains to evade detection and facilitate phishing attacks.”
Indicators of Compromise
- [Domain] Phishing domains used for AWS credential harvesting – giraffe-viola-p262.squarespace[.]com, console.aws.consoleportal[.]tech
- [Email] Sender address used in phishing – admin@alchemistdigital[.]ae
- [URL] Credential harvesting and phishing redirect chain – cli[.]re/j9PQ88, signin.aws.consoleportal[.]tech/signin
Read more: https://www.wiz.io/blog/emerging-phishing-campaign-targeting-aws-accounts