2024-06-18 –, Breakout 1
Have you ever wondered what lies behind a phishing email? That may be the tip of the iceberg of a more complex dark economy of stolen cloud accounts to abuse email services. Illicitly buying compromised accounts with Amazon Simple Email Service (SES) ready to use is like having access to a phishing weapon that can be immediately leveraged against thousands of users.
Join us in an insightful session that will bring light to the lucrative market for Amazon SES Accounts and uncover an offensive operation where the AWS account of a compromised organization is used to send phishing emails. We will share the techniques and tactics of the two threat actors involved: an Indonesian group that took over AWS accounts with Amazon SES enabled, and a French threat actor who later bought these accounts to launch a phishing campaign against French travel card users. Furthermore, we will talk about the multiple impacts of this attack.
During the talk, we will reveal new detection methods we employed to detect events that are not logged in CloudTrail, specifically the APIs to send emails. Our procedure involves Amazon Simple Notification Service, CloudWatch and Lambda functions to log email events, configure alerts and implement incident response.
Having the complete picture of the dark market and threat actors behind phishing emails in cloud-native environments allows defenders to neutralize those attacks more easily.
Alessandro is a Sr. Threat Research Engineer at Sysdig with a background in penetration testing of web and mobile applications. His research includes cloud and container security, with a specific focus on supply chain attacks and cloud platform exploitation. While studying computer science and engineering at Politecnico di Milano, he participated in various bug bounty programs where he received rewards from several large companies. Alessandro is also a contributor to Falco, an incubation-level CNCF project.
Stefano Chierici is a Threat Research Lead Manager at Sysdig, where his research focuses on defending containerized and cloud environments from attacks ranging from web to kernel. Stefano is one of the Falco contributors to an incubation-level CNCF project. He studied cyber security in Italy, and before joining Sysdig, he was a pentester. He obtained the OSCP Certification in 2019. He was a security engineer and a red team member.