summary
Identification of EC2 Grouper: Researchers discovered that EC2 Grouper abuses AWS credentials and tools using different patterns such as “ec2group12345”. Compromised credentials: They primarily obtain credentials from code repositories associated with valid accounts. API Reliance: This group avoids manual activities and uses APIs for reconnaissance and resource creation. Detection challenges: Metrics such as naming conventions and user agents are unreliable for consistent detection. Security Recommendation: Use CSPM tools to monitor credential abuse and detect anomalous API activity to reduce risk.
Cloud environments are constantly under attack, with sophisticated attackers using a variety of techniques to gain unauthorized access. One such attacker, EC2 Grouper, has become a noteworthy adversary for security teams.
According to new research by Fortinet’s FortiGuard Labs threat research team, this group is characterized by its consistent use of AWS tools in its attacks and its unique security group naming convention. Researchers tracked this attacker across dozens of customer environments with similar user agents and security group naming conventions.
The latest revelations come amid increasing abuse of AWS infrastructure by top hacker groups. In December 2024, a report revealed that ShinyHunters and Nemesis Group worked together to target misconfigured servers, specifically AWS S3 buckets.
EC2 Grouper typically leverages AWS tools such as PowerShell to launch attacks, often using a unique user agent string. Additionally, this group consistently creates security groups using naming patterns such as “ec2group,” “ec2group1,” and “ec2group12.” Additionally, cloud attacks frequently use code repositories to obtain credentials, often originating from valid accounts. This method is considered to be the primary method of obtaining credentials.
Further investigation revealed that Grouper uses APIs for reconnaissance, security group creation, and resource provisioning, bypassing direct actions such as inbound access configuration.
While these indicators can provide initial clues, they are often insufficient for reliable threat detection, researcher Chris Hall said in a blog post shared with hackread.com. states. Because relying solely on these indicators can be misleading. An attacker can easily change the user agent and deviate from normal naming conventions.
The researchers did not observe calls to AuthorizeSecurityGroupIngress, which are essential for configuring inbound access to EC2 launched in a security group, but they did observe CreateInternetGateway and CreateVpc for remote access.
Additionally, no actions were taken in the compromised cloud environment based on intent or manual activity. EC2 Grouper may be selective in escalation, or a compromised account may be detected and quarantined before escalation.
Screenshot: FortiGuard Labs
Still, researchers believe that by analyzing signals such as compromised credentials and API usage, security teams can develop reliable detection strategies to help organizations defend against advanced attackers like EC2 Grouper. It points out that it can be done as follows. They say a more effective approach is to monitor for suspicious activity related to legitimate secret scanning services to identify possible compromised credentials, which is the primary source of access for EC2 Grouper. Suggests.
To stay safe, organizations should also utilize cloud security posture management (CSPM) tools to continuously monitor and assess the security posture of their cloud environments. It can also be helpful to implement anomaly detection techniques to identify anomalous behavior within your cloud environment, such as unexpected API calls, resource creation, or data extraction.
Related topics
Hackers steal AWS keys using fake PoC on GitHub New APT group ‘Unfading Sea Haze’ attacks military targets TA866 linked to espionage WarmCookie malware Builder.ai database misconfiguration records 1.29TB Published Russia’s Cozy Bear Phishing Key Sector Tempts Microsoft and AWS
Source link
