24 August 2020

Security researchers warn of malicious AWS Community AMIs


Security researchers warn of malicious AWS Community AMIs

Security researchers are warning of a potential attack vector that involves Amazon Web Services and Amazon’s Community AMI marketplace. The issue is that malicious actors can create a malware-laced Community Amazon Machine Images (AMI) and distribute them via the Amazon’s marketplace to unsuspecting AWS customers running EC2 instances based on Community AMI.

During a recent engagement at a financial institution, researchers at cybersecurity company Mitiga found that an EC2 server in the customer’s Amazon Web Services (AWS) environment was running malicious code. The code in question was an active Monero crypto miner which was packaged into a ‘Microsoft Windows – Server 2008’ Community AMI used to create the EC2 server instance.

“This means that the malicious party that published this AMI designed it to execute a form of financial fraud: It was designed to bill AWS customer accounts for compute, while extracting crypto on the other side,” the researchers explained.

“Equally, an adversary could have planted a backdoor, allowing a threat actor to connect to the Windows machine and leverage it to access other areas of the environment, potentially accessing the entire EC2 infrastructure of the affected AWS account. Another viable threat scenario would be the planting of ransomware with a delayed trigger.”

Considering the potential risk, the researchers advise AWS customers that choose community AMIs to verify, terminate, or seek AMIs from trusted sources for their EC2 instances.

Back to the list

Latest Posts

Palmerworm cyber-spies hide in compromised networks for months

Palmerworm cyber-spies hide in compromised networks for months

A new espionage campaign targets companies in Japan, Taiwan, the U.S., and China.
30 September 2020
Healthcare provider UHS hit by a ransomware attack

Healthcare provider UHS hit by a ransomware attack

The cause of the incident is believed to be the Ryuk ransomware.
29 September 2020
Apple fixed four dangerous vulnerabilities in macOS

Apple fixed four dangerous vulnerabilities in macOS

Exploitation of some of the problems allows arbitrary code execution on the system.
28 September 2020