{"id":14476,"date":"2025-01-03T02:20:37","date_gmt":"2025-01-03T02:20:37","guid":{"rendered":"https:\/\/sekuritasit.com\/?p=14476"},"modified":"2025-01-03T02:20:37","modified_gmt":"2025-01-03T02:20:37","slug":"ec2-grouper-attack","status":"publish","type":"post","link":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/","title":{"rendered":"EC2 Grouper Attack"},"content":{"rendered":"<p>What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed &#8220;EC2 Grouper&#8221; that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote access and lateral movement within cloud environments.\u00a0EC2 Grouper is a highly active threat actor frequently involved in cloud identity compromises, observed across numerous customer environments over the years. To learn more, see the detailed Threat Blog: Catching &#8220;EC2 Grouper&#8221;- No Indicators Required! | FortiGuard LabsWhat is the recommended Mitigation?Detecting illicit use of valid cloud credentials is challenging, as most attacks lack unique indicators. By correlating weak signals, such as environmental anomalies and API usage patterns, composite alerting enhances detection accuracy significantly. For detailed guidance and Threat report, visit Fortinet\u2019s Threat Blog | FortiGuard LabsWhat FortiGuard Coverage is available?Lacework FortiCNAPP: Cloud detection and response (CDR) addresses cloud identity compromises and uses composite alerting for enhanced detection.Lacework FortiCNAPP enhances detection efficacy and integrates CIEM to assess the impact of compromised identities.Read more about how Lacework FortiCNAPP can secure your cloud environment.<a href=\"https:\/\/fortiguard.fortinet.com\/threat-signal-report\/5611\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a>\u00a0<\/p>","protected":false},"excerpt":{"rendered":"<p>What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed &#8220;EC2 Grouper&#8221; that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14476","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.8 - aioseo.com -->\n\t<meta name=\"description\" content=\"What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed &quot;EC2 Grouper&quot; that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<link rel=\"canonical\" href=\"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.8\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Sekuritas IT \u203a Creative solutions to unique challenges.\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"EC2 Grouper Attack \u203a Sekuritas IT\" \/>\n\t\t<meta property=\"og:description\" content=\"What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed &quot;EC2 Grouper&quot; that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2025-01-03T02:20:37+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2025-01-03T02:20:37+00:00\" \/>\n\t\t<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/profile.php?id=100086973577423\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:title\" content=\"EC2 Grouper Attack \u203a Sekuritas IT\" \/>\n\t\t<meta name=\"twitter:description\" content=\"What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed &quot;EC2 Grouper&quot; that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"BlogPosting\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/#blogposting\",\"name\":\"EC2 Grouper Attack \\u203a Sekuritas IT\",\"headline\":\"EC2 Grouper Attack\",\"author\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/author\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/#organization\"},\"datePublished\":\"2025-01-03T02:20:37+00:00\",\"dateModified\":\"2025-01-03T02:20:37+00:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/#webpage\"},\"articleSection\":\"Uncategorized\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/sekuritasit.com#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/sekuritasit.com\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/category\\\/uncategorized\\\/#listItem\",\"name\":\"Uncategorized\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/category\\\/uncategorized\\\/#listItem\",\"position\":2,\"name\":\"Uncategorized\",\"item\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/category\\\/uncategorized\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/#listItem\",\"name\":\"EC2 Grouper Attack\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/sekuritasit.com#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/#listItem\",\"position\":3,\"name\":\"EC2 Grouper Attack\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/category\\\/uncategorized\\\/#listItem\",\"name\":\"Uncategorized\"}}]},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/#organization\",\"name\":\"Sekuritas IT\",\"description\":\"Creative solutions to unique challenges.\",\"url\":\"https:\\\/\\\/sekuritasit.com\\\/\",\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/profile.php?id=100086973577423\"]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/#webpage\",\"url\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/\",\"name\":\"EC2 Grouper Attack \\u203a Sekuritas IT\",\"description\":\"What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed \\\"EC2 Grouper\\\" that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/2025\\\/01\\\/03\\\/ec2-grouper-attack\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/author\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/index.php\\\/author\\\/#author\"},\"datePublished\":\"2025-01-03T02:20:37+00:00\",\"dateModified\":\"2025-01-03T02:20:37+00:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/#website\",\"url\":\"https:\\\/\\\/sekuritasit.com\\\/\",\"name\":\"Sekuritas IT\",\"alternateName\":\"Sekuritas\",\"description\":\"Creative solutions to unique challenges.\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/sekuritasit.com\\\/#organization\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"EC2 Grouper Attack \u203a Sekuritas IT","description":"What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed \"EC2 Grouper\" that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote","canonical_url":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/","robots":"max-image-preview:large","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BlogPosting","@id":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/#blogposting","name":"EC2 Grouper Attack \u203a Sekuritas IT","headline":"EC2 Grouper Attack","author":{"@id":"https:\/\/sekuritasit.com\/index.php\/author\/#author"},"publisher":{"@id":"https:\/\/sekuritasit.com\/#organization"},"datePublished":"2025-01-03T02:20:37+00:00","dateModified":"2025-01-03T02:20:37+00:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/#webpage"},"isPartOf":{"@id":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/#webpage"},"articleSection":"Uncategorized"},{"@type":"BreadcrumbList","@id":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/sekuritasit.com#listItem","position":1,"name":"Home","item":"https:\/\/sekuritasit.com","nextItem":{"@type":"ListItem","@id":"https:\/\/sekuritasit.com\/index.php\/category\/uncategorized\/#listItem","name":"Uncategorized"}},{"@type":"ListItem","@id":"https:\/\/sekuritasit.com\/index.php\/category\/uncategorized\/#listItem","position":2,"name":"Uncategorized","item":"https:\/\/sekuritasit.com\/index.php\/category\/uncategorized\/","nextItem":{"@type":"ListItem","@id":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/#listItem","name":"EC2 Grouper Attack"},"previousItem":{"@type":"ListItem","@id":"https:\/\/sekuritasit.com#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/#listItem","position":3,"name":"EC2 Grouper Attack","previousItem":{"@type":"ListItem","@id":"https:\/\/sekuritasit.com\/index.php\/category\/uncategorized\/#listItem","name":"Uncategorized"}}]},{"@type":"Organization","@id":"https:\/\/sekuritasit.com\/#organization","name":"Sekuritas IT","description":"Creative solutions to unique challenges.","url":"https:\/\/sekuritasit.com\/","sameAs":["https:\/\/www.facebook.com\/profile.php?id=100086973577423"]},{"@type":"WebPage","@id":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/#webpage","url":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/","name":"EC2 Grouper Attack \u203a Sekuritas IT","description":"What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed \"EC2 Grouper\" that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/sekuritasit.com\/#website"},"breadcrumb":{"@id":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/#breadcrumblist"},"author":{"@id":"https:\/\/sekuritasit.com\/index.php\/author\/#author"},"creator":{"@id":"https:\/\/sekuritasit.com\/index.php\/author\/#author"},"datePublished":"2025-01-03T02:20:37+00:00","dateModified":"2025-01-03T02:20:37+00:00"},{"@type":"WebSite","@id":"https:\/\/sekuritasit.com\/#website","url":"https:\/\/sekuritasit.com\/","name":"Sekuritas IT","alternateName":"Sekuritas","description":"Creative solutions to unique challenges.","inLanguage":"en-US","publisher":{"@id":"https:\/\/sekuritasit.com\/#organization"}}]},"og:locale":"en_US","og:site_name":"Sekuritas IT \u203a Creative solutions to unique challenges.","og:type":"article","og:title":"EC2 Grouper Attack \u203a Sekuritas IT","og:description":"What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed &quot;EC2 Grouper&quot; that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote","og:url":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/","article:published_time":"2025-01-03T02:20:37+00:00","article:modified_time":"2025-01-03T02:20:37+00:00","article:publisher":"https:\/\/www.facebook.com\/profile.php?id=100086973577423","twitter:card":"summary_large_image","twitter:title":"EC2 Grouper Attack \u203a Sekuritas IT","twitter:description":"What is the Attack?FortiGuard Labs Threat Team has observed recent attacks by a Threat Actor dubbed &quot;EC2 Grouper&quot; that leverages AWS tools for PowerShell to carry out cloud-based attacks. It leverages APIs to inventory EC2 types and available regions before executing further API calls iteratively. The Threat Actor is seen using techniques that enable remote"},"aioseo_meta_data":{"post_id":"14476","title":null,"description":null,"keywords":null,"keyphrases":null,"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":null,"og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":null,"robots_max_videopreview":null,"robots_max_imagepreview":"large","priority":null,"frequency":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2025-01-03 02:35:59","updated":"2025-10-15 13:14:55","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/sekuritasit.com\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/sekuritasit.com\/index.php\/category\/uncategorized\/\" title=\"Uncategorized\">Uncategorized<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tEC2 Grouper Attack\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/sekuritasit.com"},{"label":"Uncategorized","link":"https:\/\/sekuritasit.com\/index.php\/category\/uncategorized\/"},{"label":"EC2 Grouper Attack","link":"https:\/\/sekuritasit.com\/index.php\/2025\/01\/03\/ec2-grouper-attack\/"}],"_links":{"self":[{"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/posts\/14476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/comments?post=14476"}],"version-history":[{"count":1,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/posts\/14476\/revisions"}],"predecessor-version":[{"id":14479,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/posts\/14476\/revisions\/14479"}],"wp:attachment":[{"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/media?parent=14476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/categories?post=14476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sekuritasit.com\/index.php\/wp-json\/wp\/v2\/tags?post=14476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}