Hacking operation EC2 Grouper has been abusing Amazon Web Services tools to facilitate attacks using exfiltrated credentials, according to Hackread.
After obtaining credentials from code repositories, EC2 Grouper utilizes PowerShell and other AWS tools to initiate compromise before exploiting APIs to enable reconnaissance and resource provisioning, as well as establish unique security groups while averting inbound access configuration, a report from Fortinet's FortiGuard Labs researchers revealed. While the lack of objective-based activity in targeted cloud environments suggests EC2 Grouper's selective targeting that may complicate detection efforts, security teams could better identify such threats by tracking secret scanning service-related activity. Organizations have also been urged to ensure the robustness of their cloud environment by leveraging Cloud Security Posture Management tools and anomaly detection techniques. Such a development comes after unsecured AWS S3 buckets were jointly compromised by the ShinyHunters and Nemesis hacking operations.
