Security researchers are warning of a potential attack vector that involves Amazon Web Services and Amazon’s Community AMI marketplace. The issue is that malicious actors can create a malware-laced Community Amazon Machine Images (AMI) and distribute them via the Amazon’s marketplace to unsuspecting AWS customers running EC2 instances based on Community AMI.
During a recent engagement at a financial institution, researchers at cybersecurity company Mitiga found that an EC2 server in the customer’s Amazon Web Services (AWS) environment was running malicious code. The code in question was an active Monero crypto miner which was packaged into a ‘Microsoft Windows – Server 2008’ Community AMI used to create the EC2 server instance.
“This means that the malicious party that published this AMI designed it to execute a form of financial fraud: It was designed to bill AWS customer accounts for compute, while extracting crypto on the other side,” the researchers explained.
“Equally, an adversary could have planted a backdoor, allowing a threat actor to connect to the Windows machine and leverage it to access other areas of the environment, potentially accessing the entire EC2 infrastructure of the affected AWS account. Another viable threat scenario would be the planting of ransomware with a delayed trigger.”
Considering the potential risk, the researchers advise AWS customers that choose community AMIs to verify, terminate, or seek AMIs from trusted sources for their EC2 instances.