AWS Java_Ghost security group creation attempt

cloudtrail

Classification:

attack

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when an attempt to create an AWS security group called “Java_Ghost” is observed.

Strategy

Monitor CloudTrail and detect when an attempt to create an AWS security group called “Java_Ghost” has been observed. Datadog’s security research team has assessed with high confidence that an occurrence of this event likely means that identity {{@userIdentity.arn}} has been compromised. An attacker may try to create a security group to maintain access to any EC2 instances created.

Triage and response

  1. Determine other actions taken by the identity {{@userIdentity.arn}} by looking at past activity and the types of API calls occurring.
  2. Begin your company’s incident response process and an investigation.
PREVIEWING: safchain/fix-custom-agent