Catching 'EC2 Grouper' - No Indicators Required!
Fortinet News, Monday, December 30th, 2024
Through the years of analyzing identity compromises in the cloud, we've seen the same attackers pop up regularly, some more frequently than others.
Among the more prolific ones we've come to know is one we've dubbed 'EC2 Grouper'. Over the past couple of years, we've seen this actor in several dozen customer environments, making them one of the more active groups we've tracked. This usual suspect is attributed by their penchant for using similar user agents and the same security group naming convention in their attacks.
While indicators such as user agents and even security group names can assist in attribution and hunting, we have found them unreliable for comprehensive threat detection. In this blog, we'll detail tactics associated with EC2 Grouper and how Lacework FortiCNAPP can be leveraged to detect this threat, among others. More importantly, we will showcase how this is achieved without relying on actor-specific indicators, which can be transient in nature.