Through the years of analyzing identity compromises in the cloud, Fortinet researchers have seen the same attackers pop up regularly, some more frequently than others. Among the more prolific ones they’ve come to know is one they’ve dubbed “EC2 Grouper”. Over the past couple of years, they’ve seen this actor in several dozen customer environments, making them one of the more active groups we’ve tracked.
This usual suspect is attributed by their penchant for using similar user agents and the same security group naming convention in their attacks. While indicators such as user agents and even security group names can assist in attribution and hunting, Fortinet have found them unreliable for comprehensive threat detection.
Read more…
Source: Fortinet
Related:
- Matters of Life and Death: Cyber Security and Medical Devices
February 3, 2020
Concerns about the vulnerabilities of medical devices to cyber attacks are spurring a new focus on the need to protect patient safety, data and hospital systems It’s a scenario right out of a Hollywood blockbuster. Without a word of warning, medical devices regulating everything from heartbeat to insulin levels across a hospital system begin behaving erratically ...
- Hackers are hijacking smart building access systems to launch DDoS attacks
February 2, 2020
Hackers are actively searching the internet and hijacking smart door/building access control systems, which they are using to launch DDoS attacks, according to firewall company SonicWall. The attacks are targeting Linear eMerge E3, a product of Nortek Security & Control (NSC). Linear eMerge E3 devices fall in the hardware category of “access control systems.” They are ...
- Abusing DLL Misconfigurations — Using Threat Intelligence to Weaponize R&D
January 31, 2020
Dynamic-link library (DLL) side-loading occurs when Windows Side-by-Side (WinSxS) manifests are not explicit about the characteristics of DLLs being loaded by a program. In layman’s terms, DLL side-loading can allow an attacker to trick a program into loading a malicious DLL. If you are interested in learning more about how DLL side-loading works and how we see attackers using ...
- Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan
January 31, 2020
Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan. 2019-nCoV, which is believed to have originated in Wuhan, China, in the past month, has caused hundreds of deaths and thousands of confirmed cases in China alone. The virus has already spread to ...
- Attacker’s Tactics and Techniques in Unsecured Docker Daemons Revealed
January 29, 2020
Between September and December 2019, Unit 42 researchers periodically scanned and collected metadata from Docker hosts exposed to the internet (largely due to inadvertent user errors) and this research reveals some of the tactics and techniques used by attackers in the compromised Docker engines. In total, 1,400 unsecured Docker hosts, 8,673 active containers, and 17,927 ...
- A Ransomware Prescription for the Healthcare Industry
January 29, 2020
To paraphrase Mark Twain, reports of ransomware’s death have been greatly exaggerated. Ransomware attacks resumed with a vengeance last year, despite conjecture by some researchers that CPU mining would overtake ransomware as a leading threat vector. Instead, the ransomware threat is stronger than ever, impacting more than 750 healthcare providers and racking up recovery costs approaching $4 billion. Some healthcare ...