A sophisticated threat actor known as EC2 Grouper has been actively exploiting AWS tools and compromised credentials to launch attacks on cloud environments. According to Fortinet researchers, the group has been observed in numerous customer environments over the past few years, making them one of the most persistent cloud-focused adversaries. Their tactics involve leveraging AWS tools, specifically PowerShell scripts, and exhibiting consistent patterns in their activity, including the use of unique user agent strings and distinctive naming conventions for security groups, such as “ec2group,” “ec2group1,” and incrementally numbered variants.
EC2 Grouper primarily obtains valid credentials from code repositories associated with legitimate accounts. These credentials are then used to interact with AWS APIs for reconnaissance and resource management. Common calls observed include DescribeInstanceTypes to inventory EC2 instance types and DescribeRegions to gather details about available cloud regions. Interestingly, the group avoids AuthorizeSecurityGroupIngress, a typical API call for configuring inbound access to EC2 instances. Instead, they focus on calls like CreateInternetGateway and CreateVpc, which enable remote access to the compromised cloud environments.
While the group’s end objectives remain unclear, researchers suggest that resource hijacking, such as exploiting cloud resources for cryptomining, is the most probable motive. Despite their persistent activity, no specific manual actions or post-compromise behaviors have been observed in the affected environments. This lack of identifiable patterns makes detecting EC2 Grouper’s activities particularly challenging for security teams relying on traditional indicators such as user agents and security group names.
To defend against EC2 Grouper and similar cloud-focused threats, organizations are advised to adopt a multi-layered security strategy. This includes deploying Cloud Security Posture Management (CSPM) tools for continuous monitoring, implementing anomaly detection systems to identify unusual patterns, and enforcing the principle of least privilege across all roles and permissions. As cloud environments continue to be a prime target for cybercriminals, robust security measures and proactive monitoring remain essential in mitigating advanced threats like EC2 Grouper.
Reference:
