ec2 Grouper

Cloud environments are constantly under attack, with sophisticated threat actors employing various techniques to gain unauthorized access. One such actor, called EC2 Grouper, has become a notable adversary for security teams.

According to the latest research from Fortinet’s FortiGuard Labs Threat Research team, this group is characterized by its consistent use of AWS tools and a unique security group naming convention in its attacks. Researchers tracked this actor in several dozen customer environments due to similar user agents and security group naming conventions.[1]

The latest revelation comes amid increasing exploitation of AWS infrastructure by top hacker groups. In December 2024, reports revealed that ShinyHunters and the Nemesis Group collaborated to target misconfigured servers, particularly AWS S3 Buckets.[2]

EC2 Grouper typically initiates attacks by leveraging AWS tools like PowerShell, often employing a distinctive user agent string. Furthermore, the group consistently creates security groups with naming patterns like “ec2group,” “ec2group1,” “ec2group12,” and so on. Also, they frequently use code repositories to acquire credentials in their cloud attacks, often originating from valid accounts. This method is believed to be the primary method of credential acquisition.

Further probing revealed that Grouper uses APIs for reconnaissance, security group creation, and resource provisioning, avoiding direct actions like inbound access configuration.

While these indicators can provide initial clues, they are often insufficient for reliable threat detection, researcher Chris Hall noted in the blog post, shared with hackread.com. That’s because relying solely on these indicators can be misleading. Attackers can easily modify their user agents and may deviate from their usual naming conventions.

Researchers did not observe calls to AuthorizeSecurityGroupIngress, which is essential to configure inbound access to EC2 launched with the security group, but they observed CreateInternetGateway and CreateVpc for remote access.

Moreover, no actions have been based on objectives or manual activity in a compromised cloud environment. EC2 Grouper may be selective in their escalation or compromised accounts were detected and quarantined before they escalated.

Screenshot: FortiGuard Labs

Still, researchers note that by analyzing signals like credential compromise and API usage, security teams can develop a reliable detection strategy and help organizations defend against sophisticated adversaries like EC2 Grouper. They suggest that a more effective approach would be monitoring for suspicious activity related to legitimate secret scanning services to identify potential credential compromises, which are the primary source of access for EC2 Grouper.

To stay safe, organizations must also utilize Cloud Security Posture Management (CSPM) tools to monitor and assess your cloud environment’s security posture continuously. Implementing anomaly detection techniques to identify unusual behavior within the cloud environment, such as unexpected API calls, resource creation, or data exfiltration can also help.

This article is shared at no charge for educational and informational purposes only.

Of note: Researcher Chris Hall was a founding member of Red Sky Alliance. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. Red Sky provides indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings: