One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8631809 |
| Date de publication | 2024-12-30 21:53:26 (vue: 2024-12-30 22:08:20) |
| Titre | Catching "EC2 Grouper" no indicators required! |
| Texte | ## Snapshot
The threat actor known as "EC2 Grouper" has been identified as a prolific entity in cloud-based attacks, particularly within AWS environments. EC2 Grouper is recognized for their consistent use of AWS tools for PowerShell, as indicated by their user agent strings, and a distinct security group naming convention that appends a sequential combination of numbers to "ec2group."
## Description
Their attacks often involve the CreateSecurityGroup API to facilitate remote access and lateral movement. The group\'s activities appear to be automated, with API calls to inventory EC2 types and retrieving information about available regions. Additionally, the group gathers details on VPCs, security groups, account attributes, service quotas, and existing EC2 instances. They also attempt to launch new EC2 instances using the security groups they create. The primary method of initial infiltration for EC2 Grouper is believed to be through compromised cloud access keys that are mistakenly committed to public code repositories.
Once these credentials are obtained, EC2 Grouper launches their attacks, which are often accompanied by attacks from other threat actors. Despite the automation and the use of specific APIs, there has been no observed manual activity or actions based on objectives in compromised cloud environments, suggesting that the accounts may have been detected and quarantined before further escalation. The general objective of EC2 Grouper is suspected to be resource hijacking, although the specific end goals remain unconfirmed. Detection strategies include looking for legitimate secret scanning services and correlating various signals to reduce false positives.
## References
[Catching "EC2 Grouper"- no indicators required](https://www.fortinet.com/blog/threat-research/catching-ec2-grouper-no-indicators-required). Fortinet (accessed 2024-12-30)
## Copyright
**© Microsoft 2024**. All rights reserved. Reproduction or distribution of the content of this site, or any part thereof, without written permission of Microsoft is prohibited.
## Snapshot The threat actor known as "EC2 Grouper" has been identified as a prolific entity in cloud-based attacks, particularly within AWS environments. EC2 Grouper is recognized for their consistent use of AWS tools for PowerShell, as indicated by their user agent strings, and a distinct security group naming convention that appends a sequential combination of numbers to "ec2group." ## Description Their attacks often involve the CreateSecurityGroup API to facilitate remote access and lateral movement. The group\'s activities appear to be automated, with API calls to inventory EC2 types and retrieving information about available regions. Additionally, the group gathers details on VPCs, security groups, account attributes, service quotas, and existing EC2 instances. They also attempt to launch new EC2 instances using the security groups they create. The primary method of initial infiltration for EC2 Grouper is believed to be through compromised cloud access keys that are mistakenly committed to public code repositories. Once these credentials are obtained, EC2 Grouper launches their attacks, which are often accompanied by attacks from other threat actors. Despite the automation and the use of specific APIs, there has been no observed manual activity or actions based on objectives in compromised cloud environments, suggesting that the accounts may have been detected and quarantined before further escalation. The general objective of EC2 Grouper is suspected to be resource hijacking, although the specific end goals remain unconfirmed. Detection strategies include looking for legitimate secret scanning services and correlating various signals to reduce false positives. ## References [Catching "EC2 Grouper"- no indicators required](https://www.fortinet.com/blog/threat-research/catching-ec2-grouper-no-indicators-required). Fortinet (accessed 2024-12-30) ## Copyright **© Micr |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** about access accessed accompanied account accounts actions activities activity actor actors additionally agent all also although any api apis appear appends are attacks attempt attributes automated automation available aws based been before believed calls catching cloud code com/blog/threat combination committed compromised consistent content convention copyright correlating create createsecuritygroup credentials description despite details detected detection distinct distribution ec2 ec2group end entity environments escalation existing facilitate false fortinet from further gathers general goals group grouper groups has have hijacking https://www identified include indicated indicators infiltration information initial instances inventory involve keys known lateral launch launches legitimate looking manual may method microsoft mistakenly movement naming new numbers objective objectives observed obtained often once other part particularly permission positives powershell primary prohibited prolific public quarantined quotas recognized reduce references regions remain remote repositories reproduction required research/catching reserved resource retrieving rights scanning secret security sequential service services signals site snapshot specific strategies strings suggesting suspected thereof these threat through tools types unconfirmed use user using various vpcs which within without written |
| Tags | Tool Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.