EC2 Grouper Targets AWS Environments with Undetermined Attack Objective

The threat group tracked as "EC2 Grouper" has been observed in numerous cloud-based attacks, affecting "several dozen customer environments," as reported by Fortinet. This attacker’s activities are characterized by automated exploits targeting AWS cloud services, leveraging API calls to create new security groups, conduct reconnaissance, and modify configurations. Fortinet's analysis emphasizes the critical need for customers to securely manage their keys, as the most likely attack vector exploited by the attackers is the capture of exposed keys in public repositories. "Developers often mistakenly commit cloud access keys to public repositories. Once this occurs, the clock starts ticking until the credentials fall into the hands of attackers, are discovered by secret scanners, or both," said Fortinet researcher Chris Hall.

Key attack techniques of EC2 Grouper include leveraging PowerShell tools for AWS, as indicated by a "consistent" user agent string containing "AWSPowerShell.Common." Updated user agents have incorporated the character "#" a possible attempt to evade detection patterns. Notable API calls executed by the group include the creation of security groups with the "CreateSecurityGroup" command. These groups follow a specific naming convention, such as "ec2group" with numbers appended (e.g., "ec2group12345"). Interestingly, Fortinet notes that they "never observed calls to "AuthorizeSecurityGroupIngress," which is ultimately required to configure inbound access to any EC2 launched with the security group." Instead, EC2 Grouper focuses on other critical activities, such as launching EC2 instances with "RunInstances," configuring virtual private clouds with "CreateVpc," and enabling external access with "CreateInternetGateway." Reconnaissance commands like "DescribeVpcs," "DescribeSecurityGroups," and "DescribeAccountAttributes" are also executed to inventory cloud resources.

The objectives of EC2 Grouper’s campaigns remain unclear. Fortinet's analysis reinforces the need for strict monitoring of cloud assets, particularly exposed credentials, which present unnecessary vulnerabilities for exploitation by EC2 Grouper and similar attackers.