Through the years of analyzing identity compromises in the cloud, Fortinet researchers have seen the same attackers pop up regularly, some more frequently than others. Among the more prolific ones they’ve come to know is one they’ve dubbed “EC2 Grouper”. Over the past couple of years, they’ve seen this actor in several dozen customer environments, making them one of the more active groups we’ve tracked.
This usual suspect is attributed by their penchant for using similar user agents and the same security group naming convention in their attacks. While indicators such as user agents and even security group names can assist in attribution and hunting, Fortinet have found them unreliable for comprehensive threat detection.
Read more…
Source: Fortinet
Related:
- DanaBot banking Trojan jumps from Australia to Germany in quest for new targets
August 15, 2019
The DanaBot banking Trojan is on the move and has traveled across the sea in a pivot from its original focus on Australia to strike European targets. DanaBot was first discovered by Proofpoint researchers last year. The malware was observed striking Australian targets of financial value, but at the time, DanaBot appeared to come from only one threat ...
- Analysis: New Remcos RAT Arrives Via Phishing Email
August 15, 2019
In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is ...
- Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices
August 13, 2019
Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. On July 22, 2019, we saw and started analyzing a Neko botnet sample, then observed another sample with additional exploits the following week. A Mirai variant that calls itself “Asher” surfaced on July 30, then a Bashlite ...
- How Threat Intelligence Helps the Energy Sector Fight Cyberespionage
August 13, 2019
When it comes to cyber threats, some industries have it harder than others. Few are as heavily targeted by sophisticated cyberattacks as the energy sector. Over the last decade, state-sponsored hacking groups have routinely targeted utility networks and other energy providers for the purposes of espionage and disruption. And according to the latest research, advanced persistent threat (APT) ...
- Hunting the Public Cloud for Exposed Hosts and Misconfigurations
August 12, 2019
This research explores the security landscape of the Internet-facing services hosted in Amazon AWS, Microsoft Azure and Google Cloud Platform. Public cloud is becoming increasingly popular and the reported total spending on cloud infrastructure grew 45.6% in 2018. Amazon AWS maintained its lead with a 31.3% share of the Cloud Service Provider (CSP) market, followed by Microsoft ...
- Recent Cloud Atlas activity
August 12, 2019
Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since. From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor ...