AWS security group with a known malicious name
Description
AlphaSOC detected the creation of an AWS EC2 security group with a name matching patterns associated with known threat actors or attack toolkits. Security groups control inbound and outbound traffic for AWS resources, and maliciously named groups may be created to obscure permissive firewall rules, facilitate lateral movement, or signal coordination with attacker-controlled infrastructure.
Impact
A maliciously named security group may be used to weaken network defenses by introducing overly permissive inbound or outbound rules under a deceptive name. This can enable remote access, data exfiltration channels, or bypass existing network controls. Security groups with attacker-associated names may also indicate that a larger compromise is underway and that the attacker is configuring infrastructure for ongoing operations.
Severity
| Severity | Condition |
|---|---|
Medium | Security group created with a known malicious name pattern |
Investigation and Remediation
Review the security group's inbound and outbound rules for overly permissive entries such as 0.0.0.0/0 on sensitive ports. Examine CloudTrail to determine who created the group and which resources have been associated with it. If unauthorized, delete the security group and remove it from any associated instances. Investigate the creating identity for additional indicators of compromise and restrict IAM permissions for security group management.