Cloud settings have been the target of assaults by a highly skilled hacker collective known as “EC2 Grouper,” who have been using AWS tools and compromised passwords.
Over the last few years, this prolific threat actor has been seen in dozens of customer settings, making them one of the most active organizations that cybersecurity professionals keep an eye on.
According to Fortinet researchers, EC2 Grouper is distinguished by its regular use of AWS tools, especially PowerShell, to carry out assaults. Using a unique security group naming standard and a unique user agent string, the group frequently creates several groups with names like “ec2group,” “ec2group1,” and up to “ec2group12345.”
Credentials are generally obtained by the attackers from code repositories linked to legitimate accounts. After obtaining these credentials, attackers use APIs for resource provisioning, security group formation, and reconnaissance.
Among their strategies are calls to DescribeRegions to obtain details about accessible regions and DescribeInstanceTypes to inventory EC2 kinds.
It’s interesting to note that calls to AuthorizeSecurityGroupIngress, which is normally necessary to configure inbound access to EC2 instances started with the security group, have not been seen by researchers.
They have, however, observed instances of CreateVpc and CreateInternetGateway calls, which are required for remote access.
Although the group’s ultimate goals are yet unknown, analysts think resource stealing is probably their major ambition.
According to the analysis, no manual activity or acts with predetermined goals have been seen in hacked cloud settings.
Security teams have a difficult time identifying EC2 Grouper’s activity. The ephemeral nature of traditional indicators, such as user agents and group names, has made them unreliable for thorough threat detection.
Experts advise a more sophisticated method that accurately detects fraudulent activity by correlating several weak indications.
To reduce the risks connected with EC2 Grouper and related attacks, organizations are urged to employ a number of security measures.
These include applying the concept of least privilege to all roles allocated to users and instances, using Cloud Security Posture Management (CSPM) tools to continually monitor and analyze the security of cloud environments, and putting anomaly detection techniques into practice to spot odd activity.
The identification and examination of organizations like EC2 Grouper highlights the significance of sophisticated detection systems and strong security procedures in protecting digital assets and private data, as cloud environments continue to be top targets for skilled threat actors.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, The Mainstream formerly known as CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, The Mainstream formerly known as CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK
