AWS Phishing Exploits

JavaGhost (TGR-UNK-0011) leverages exposed AWS IAM keys and misconfigurations to provision SES and WorkMail services, create IAM users and roles (including long-lived and temporary credentials), and send phishing emails that appear to come from trusted sources; they also leave telltale but non-functional EC2 security groups named "Java_Ghost" that appear in CloudTrail as an identifying trace.