Through the years of analyzing identity compromises in the cloud, Fortinet researchers have seen the same attackers pop up regularly, some more frequently than others. Among the more prolific ones they’ve come to know is one they’ve dubbed “EC2 Grouper”. Over the past couple of years, they’ve seen this actor in several dozen customer environments, making them one of the more active groups we’ve tracked.
This usual suspect is attributed by their penchant for using similar user agents and the same security group naming convention in their attacks. While indicators such as user agents and even security group names can assist in attribution and hunting, Fortinet have found them unreliable for comprehensive threat detection.
Read more…
Source: Fortinet
Related:
- Why Cities Are a Low-Hanging Fruit For Ransomware
July 15, 2019
Ransomware attacks against local governments and cities are repeatedly making headlines, with crippling results on city operations and budgets. Last month, the Florida city of Riviera Beach paid hackers $600,000 after being hit by a ransomware attack that downed its computer systems for three weeks. In 2018, several Atlanta city systems were crippled after a ransomware attack extorted ...
- Turla APT Returns with New Malware, Anti-Censorship Angle
July 15, 2019
The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets. The Russian-speaking actors believed behind Turla named the dropper “Topinambour,” which is another word for the ...
- New Miori Variant Uses Unique Protocol to Communicate with C&C
July 10, 2019
We first detailed a new Mirai variant called Miori in a report late last year after finding the malware spreading via a ThinkPHP Remote Code Execution (RCE) vulnerability. It has recently reappeared bearing a notable difference in the way it communicates with its command-and-control (C&C) server. This Miori variant departs from the usual binary-based protocol and uses ...
- Anubis Android Malware Returns with Over 17,000 Samples
July 8, 2019
The 2018 mobile threat landscape had banking trojans that diversified their tactics and techniques to evade detection and further monetize their malware — and in the case of the Anubis Android malware, retooled for other malicious activities. Anubis underwent several changes since it first emerged, from being used for cyberespionage to being retooled as a banking malware, combining information ...
- ‘Twas the night before
July 4, 2019
Recently, the United States Cyber Command (USCYBERCOM Malware Alert @CNMF_VirusAlert) highlighted several VirusTotal uploads of theirs – and the executable objects relating to 2016 – 2017 NewsBeef/APT33 activity are interesting for a variety of reasons. Before continuing, it’s important to restate yet again that we defend customers, and research malware and intrusions, regardless of their source. Accordingly, subscribers to ...
- Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi
July 4, 2019
Since our last research on TA505, we have observed new activity from the group that involves campaigns targeting different countries over the last few weeks. We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines, and South Korea. This ...