A sophisticated hacker group dubbed “EC2 Grouper” has been exploiting AWS tools and compromised credentials to launch attacks on cloud environments.
This prolific threat actor has been observed in dozens of customer environments over the past couple of years, making them one of the most active groups tracked by cybersecurity experts.
Fortinet researchers observed that EC2 Grouper is characterized by its consistent use of AWS tools, particularly PowerShell, for executing attacks. The group employs a distinctive user agent string and a unique security group naming convention, often creating multiple groups with names like “ec2group,” “ec2group1,” up to “ec2group12345”.
The attackers primarily obtain credentials from code repositories associated with valid accounts. Once they acquire these credentials, they leverage APIs for reconnaissance, security group creation, and resource provisioning.
Their tactics include making calls to DescribeInstanceTypes to inventory EC2 types and DescribeRegions to gather information about available regions.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Interestingly, researchers have not observed calls to AuthorizeSecurityGroupIngress, which is typically required for configuring inbound access to EC2 instances launched with the security group.
However, they have noted instances of CreateInternetGateway and CreateVpc calls, which are necessary for remote access.
While the group’s ultimate objectives remain unconfirmed, experts believe resource hijacking is likely their primary goal.
No manual activity or actions based on specific objectives have been observed in compromised cloud environments, reads the report.
Detecting EC2 Grouper’s activities poses significant challenges for security teams. Traditional indicators like user agents and group names have proven unreliable for comprehensive threat detection due to their transient nature.
Instead, experts recommend a more nuanced approach that correlates multiple weak signals to identify malicious behavior accurately.
Organizations are advised to implement several security measures to mitigate risks associated with EC2 Grouper and similar threats.
These include utilizing Cloud Security Posture Management (CSPM) tools to monitor and assess cloud environment security continuously, implementing anomaly detection techniques to identify unusual behavior, and applying the principle of least privilege to all roles assigned to users and instances.
As cloud environments remain prime targets for sophisticated threat actors, the discovery and analysis of groups like EC2 Grouper underscore the importance of advanced detection mechanisms and robust security practices in safeguarding digital assets and sensitive information.