Security researchers warn of malicious AWS Community AMIs

Security researchers warn of malicious AWS Community AMIs

Security researchers are warning of a potential attack vector that involves Amazon Web Services and Amazon’s Community AMI marketplace. The issue is that malicious actors can create a malware-laced Community Amazon Machine Images (AMI) and distribute them via the Amazon’s marketplace to unsuspecting AWS customers running EC2 instances based on Community AMI.

During a recent engagement at a financial institution, researchers at cybersecurity company Mitiga found that an EC2 server in the customer’s Amazon Web Services (AWS) environment was running malicious code. The code in question was an active Monero crypto miner which was packaged into a ‘Microsoft Windows – Server 2008’ Community AMI used to create the EC2 server instance.

“This means that the malicious party that published this AMI designed it to execute a form of financial fraud: It was designed to bill AWS customer accounts for compute, while extracting crypto on the other side,” the researchers explained.

“Equally, an adversary could have planted a backdoor, allowing a threat actor to connect to the Windows machine and leverage it to access other areas of the environment, potentially accessing the entire EC2 infrastructure of the affected AWS account. Another viable threat scenario would be the planting of ransomware with a delayed trigger.”

Considering the potential risk, the researchers advise AWS customers that choose community AMIs to verify, terminate, or seek AMIs from trusted sources for their EC2 instances.

Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025