Cloud security researchers have recently brought to light concerning trends in identity compromises within Amazon Web Services (AWS) environments. One of the most noteworthy threat actors in this space is a group known as “EC2 Grouper,” with a reputation for exploiting compromised credentials to execute advanced attacks using AWS tools. Their activities have spanned multiple customer environments over the past few years, solidifying their status as a persistent threat to cloud infrastructures.
The tactics and techniques employed by EC2 Grouper shed light on the sophisticated nature of their attacks. Leveraging AWS PowerShell tools, they automate their malicious activities, with their user agent serving as a critical early indicator of their operations. While their user agent was initially consistent, recent developments have seen the inclusion of unusual hash characters, potentially indicating efforts to evade traditional detection methods. Additionally, the group adopts specific naming conventions, such as creating security groups labeled “ec2group” followed by sequential numbers, facilitating lateral movement and potential resource hijacking.
To gather intelligence about cloud environments, EC2 Grouper utilizes various APIs, including DescribeInstanceTypes, DescribeRegions, DescribeVpcs, DescribeSecurityGroups, DescribeInstances, and RunInstances. Interestingly, the group selectively avoids configuring inbound access using the AuthorizeSecurityGroupIngress API, opting instead for creating remote access pathways using APIs like CreateInternetGateway and CreateVpc. These tactics, combined with compromised AWS credentials often sourced from publicly accessible code repositories like GitHub, form the foundation of their attacks.
Reports from Fortinet highlight that public repositories have been a common source of compromised credentials for EC2 Grouper. Detecting their illicit activities requires a multifaceted approach, combining various signals to attribute their actions reliably. Defensive strategies include leveraging Secret Scanning Services like GitGuardian and GitHub’s secret scanning to identify exposed credentials, correlating multiple signals to create composite alerts, and implementing anomaly detection mechanisms to flag suspicious cloud usage patterns.
The emergence of threat actors like EC2 Grouper underscores the importance of robust cloud security practices for organizations. While detecting malicious use of compromised credentials presents challenges, advanced detection mechanisms and tools like Lacework FortiCNAPP offer comprehensive protection. It is crucial for organizations to prioritize proactive monitoring, maintain proper credential hygiene, and employ anomaly detection methods to safeguard their cloud environments effectively.
In conclusion, as attackers continue to refine their techniques, organizations must remain vigilant by implementing best practices in cloud security. By staying informed about emerging threats and investing in the right security tools and strategies, businesses can fortify their defenses against sophisticated threat actors like EC2 Grouper in the ever-evolving landscape of cloud security.