FortiGuard Labs Links New EC2 Grouper Hackers to AWS Credential Exploits

****SUMMARY****

• EC2 Grouper Identified: Researchers found EC2 Grouper exploiting AWS credentials and tools using distinct patterns like “ec2group12345.”

• Credential Compromise: They primarily obtain credentials from code repositories tied to valid accounts.

• API Reliance: The group avoids manual activity, using APIs for reconnaissance and resource creation.

• Detection Challenges: Indicators like naming conventions and user agents are unreliable for consistent detection.

• Security Recommendations: Use CSPM tools, monitor for credential misuse, and detect unusual API activity to mitigate risks.

Cloud environments are constantly under attack, with sophisticated threat actors employing various techniques to gain unauthorized access. One such actor, dubbed EC2 Grouper, has become a notable adversary for security teams.

According to the latest research from Fortinet’s FortiGuard Labs Threat Research team, this group is characterized by its consistent use of AWS tools and a unique security group naming convention in its attacks. Researchers tracked this actor in several dozen customer environments due to similar user agents and security group naming conventions.

The latest revelation comes amid increasing exploitation of AWS infrastructure by top hacker groups. In December 2024, reports revealed that ShinyHunters and the Nemesis Group collaborated to target misconfigured servers, particularly AWS S3 Buckets.

EC2 Grouper typically initiates attacks by leveraging AWS tools like PowerShell, often employing a distinctive user agent string. Furthermore, the group consistently creates security groups with naming patterns like “ec2group,” “ec2group1,” “ec2group12,” and so on. Also, they frequently use code repositories to acquire credentials in their cloud attacks, often originating from valid accounts. This method is believed to be the primary method of credential acquisition.

Further probing revealed that Grouper uses APIs for reconnaissance, security group creation, and resource provisioning, avoiding direct actions like inbound access configuration.

While these indicators can provide initial clues, they are often insufficient for reliable threat detection, researcher Chris Hall noted in the blog post, shared with hackread.com. That’s because relying solely on these indicators can be misleading. Attackers can easily modify their user agents and may deviate from their usual naming conventions.

Researchers did not observe calls to AuthorizeSecurityGroupIngress, which is essential to configure inbound access to EC2 launched with the security group, but they observed CreateInternetGateway and CreateVpc for remote access.

Moreover, no actions have been based on objectives or manual activity in a compromised cloud environment. EC2 Grouper may be selective in their escalation or compromised accounts were detected and quarantined before they escalated.

Screenshot: FortiGuard Labs

Still, researchers note that by analysing signals like credential compromise and API usage, security teams can develop a reliable detection strategy and help organizations defend against sophisticated adversaries like EC2 Grouper. They suggest that a more effective approach would be monitoring for suspicious activity related to legitimate secret scanning services to identify potential credential compromises, which are the primary source of access for EC2 Grouper.

To stay safe, organizations must also utilize Cloud Security Posture Management (CSPM) tools to monitor and assess your cloud environment’s security posture continuously. Implementing anomaly detection techniques to identify unusual behaviour within the cloud environment, such as unexpected API calls, resource creation, or data exfiltration can also help.

1. Hackers Use Fake PoCs on GitHub to Steal AWS Keys
2. New APT Group “Unfading Sea Haze” Hits Military Targets
3. TA866 Linked to WarmCookie Malware in Espionage Campaign
4. Builder.ai Database Misconfiguration Exposes 1.29TB of Records
5. Russian Cozy Bear Phish Critical Sectors with Microsoft, AWS Lures