Through the years of analyzing identity compromises in the cloud, Fortinet researchers have seen the same attackers pop up regularly, some more frequently than others. Among the more prolific ones they’ve come to know is one they’ve dubbed “EC2 Grouper”. Over the past couple of years, they’ve seen this actor in several dozen customer environments, making them one of the more active groups we’ve tracked.
This usual suspect is attributed by their penchant for using similar user agents and the same security group naming convention in their attacks. While indicators such as user agents and even security group names can assist in attribution and hunting, Fortinet have found them unreliable for comprehensive threat detection.
Read more…
Source: Fortinet
Related:
- CISA flags data-theft bug in NSA-built OT networking tool
April 29, 2026
The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information. First reported by Grady DeRosa, senior industrial pentester at Dragos, the weak spot affects all versions of GrassMarlin, a tool developed ...
- Have I Been Pwned claims Pitney Bowes hit by 8.2M email address leak
April 29, 2026
Logistics technology company Pitney Bowes, which makes franking machines for US postage, is the latest scalp claimed by ShinyHunters and its ongoing spree of pay-or-leak attacks against major organizations. Data breach tracker Have I Been Pwned (HIBP) confirmed the breach on April 27, with 8.2 million unique email addresses included in the dump alongside names, phone ...
- Medtronic says ShinyHunters hackers stole around 9 million medical records in latest attack
April 28, 2026
Medtronic, one of the biggest medical device manufacturers in the world, has confirmed suffering a cyberattack in which crooks “accessed data in certain Medtronic corporate IT systems.” In a security notification published on its website, Medtronic said the attack does not affect its customers or products, and also stressed it will continue operating as usual, without ...
- Don’t pay Vect a ransom – your data’s likely already wiped out
April 28, 2026
Organizations hit by the wave of Trivy and Lite LLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research. That’s because the ransomware Vect uses isn’t actually ransomware at all, but a wiper that destroys any file larger than 128KB. Vect’s leak site ...
- Chinese engineer stole US military and NASA software for years
April 28, 2026
International espionage isn’t always about sophisticated malware and zero-day bugs. Sometimes it’s as simple as pretending to be someone else asking for a favor. For four years, a Chinese aerospace engineer did just that. Dozens of researchers at NASA, the US military, and major universities handed him exactly what he asked for, and possibly violated US ...
- ADT confirms cyber intrusion after ShinyHunters extortion attempt
April 27, 2026
A home security biz getting digitally burgled is not a great look – but that’s exactly where ADT finds itself. The company has confirmed a cyber intrusion following an extortion attempt by the ShinyHunters crew, which claims to have made off with more than 10 million records. US-based ADT is one of the world’s largest providers ...