whoAMI attacks give hackers code execution on Amazon EC2 instances

The attacker only needs an AWS account to publish their backdoored AMI to the public Community AMI catalog and strategically choose a name that mimics the AMIs of their targets. The issue was fixed last year on September 19, and on December 1st AWS introduced a new security control named 'Allowed AMIs' allowing customers to create an allow list of trusted AMI providers. To make sure that the AMI is from a trusted source in the AWS marketplace, the search needs to include the 'owners' attribute, otherwise the risk of a whoAMI name confusion attack increases. Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name. These conditions allow the attackers to insert malicious AMIs in the selection process by naming the resource similarly to a trusted one. Without specifying an an owner, AWS returns all matching AMIs, including the attacker's. If the parameter "most_recent" is set to "true," the victim's system provides the latest AMIs added to the marketplace, which may include a malicious one that has a name similar to a legitimate entry. Amazon advises customers to always specify AMI owners when using the "ec2:DescribeImages" API and enable the 'Allowed AMIs' feature for additional protection. Dubbed "whoAMI," the attack was crafted by DataDog researchers in August 2024, who demonstrated that it's possible for attackers to gain code execution within AWS accounts by exploiting how software projects retrieve AMI IDs. AMIs are virtual machines preconfigured with the necessary software (operating system, applications) used for creating virtual servers, which are called EC2 (Elastic Compute Cloud) instances in the AWS ecosystem. DataDog researchers notified Amazon about the flaw and the company confirmed that internal non-production systems were vulnerable to the whoAMI attack. Basically, all an attacker needs to do is publish an AMI with a name that fits the pattern used by trusted owners, making it easy for users to select it and launch an EC2 instance. The new feature is available via AWS Console → EC2 → Account Attributes → Allowed AMIs. To check if untrusted AMIs are currently in use, enable AWS Audit Mode through 'Allowed AMIs,' and switch to 'Enforcement Mode' to block them. DataDog has also released a scanner to check AWS account for instances created from untrusted AMIs, available in this GitHub repository. Amazon confirmed the vulnerability and pushed a fix in September but the problem persists on the customer side in environments where organizations fail to update the code. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. AWS stated that the vulnerability was not exploited outside of the security researchers' tests, so no customer data was compromised via whoAMI attacks.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 13 Feb 2025 23:40:03 +0000


Cyber News related to whoAMI attacks give hackers code execution on Amazon EC2 instances

whoAMI attacks give hackers code execution on Amazon EC2 instances - The attacker only needs an AWS account to publish their backdoored AMI to the public Community AMI catalog and strategically choose a name that mimics the AMIs of their targets. The issue was fixed last year on September 19, and on December 1st AWS ...
3 months ago Bleepingcomputer.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Rundown of Security News from AWS re:Invent 2023 - Amazon Web Services has been unveiling a steady stream of announcements during its AWS re:Invent 2023 event in Las Vegas this week. The focus over the four days, as expected, is on AI as AWS strives to show that its offerings can match - or surpass - ...
1 year ago Darkreading.com
Cisco Foundation Grantees prioritize Indigenous leadership to protect the Amazon Basin - This is the first of our three-part series on Cisco Foundation grantees working in the Amazon and South America region. This series will introduce you to eight Cisco Foundation Climate Impact & Regeneration grantees working to support preservation ...
1 year ago Feedpress.me
Master the Art of Data Security - As we step further into the digital age, the importance of data security becomes increasingly apparent. As with all data storage services, it's crucial to ensure that the data stored on Amazon S3 is secure, particularly when it's 'at rest'-that is, ...
1 year ago Feeds.dzone.com
Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials - A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint. ...
1 month ago Bleepingcomputer.com
The Dark Side of Digital Reading: E-Books as Corporate Surveillance Tools - Americans are reading digital books at a rate of three out of ten. In a market where the majority of readers are subject to both Big Publishing's greed and those of Big Tech, it is no surprise that these readers are subject to both the greed of Big ...
1 year ago Cysecurity.news
ACM will no longer cross sign certificates with Starfield Class 2 starting August 2024 - AWS Certificate Manager is a managed service that you can use to provision, manage, and deploy public and private TLS certificates for use with Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, and other integrated AWS services. Starting ...
11 months ago Aws.amazon.com
Amazon Prime Video Ads 5 February - Adverts will start appearing for UK users of Amazon Video Prime on 5 February 2024, unless extra fee is paid. Amazon has confirmed that adverts will begin appearing for UK customers of the Amazon Prime Video service in early 2024. In an email to UK ...
1 year ago Silicon.co.uk
Amazon sues REKK fraud gang that stole millions in illicit refunds - Amazon's Customer Protection and Enforcement team has taken legal action against an underground store refund scheme that has resulted in the theft of millions of dollars worth of products from Amazon's online platforms. This lawsuit targets 20 ...
1 year ago Bleepingcomputer.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
7 months ago Aws.amazon.com
SentinelLabs Details Discovery of FBot Tool for Compromising Cloud Services - SentinelLabs today published a report identifying a Python-based tool that cybercriminals are using to compromise cloud computing and software-as-a-service platforms. Alex Delamotte, senior threat researcher at SentinelLabs, said FBot is used to take ...
1 year ago Securityboulevard.com
CrowdStrike Demonstrates Cloud Security Leadership at AWS re:Invent - CrowdStrike is honored to be named Partner of the Year for several 2023 Geo and Global AWS Partner Awards at Amazon Web Services re:Invent 2023, where we are participating this year as a Diamond Sponsor. These accomplishments demonstrate our ...
1 year ago Crowdstrike.com
A Handbook for Managing Containers on Amazon Web Services - Container management is a way to help you create, govern, and maintain your containers. There are tools and services available that can automate the creation, deployment, maintenance, scaling, and monitoring of application or system containers. In ...
2 years ago Trendmicro.com
Coming Soon to a Network Near You: More Shadow IoT - News of former Microsoft head of product Panos Panay's exit caused a small stir in the tech industry when it was learned he would join Amazon to lead that company's product division. Precisely what Amazon and Panay have in mind for that ecosystem has ...
1 year ago Securityweek.com
How Hackers Interrupted GTA 5 Online Gameplay on PC - Recently, a cyber-attack on Grand Theft Auto 5 Online on PC caused an interruption to thousands of players’ gameplays. The game was completely taken offline and players couldn’t even access the main gameplay menu. The attack caused an uproar ...
2 years ago Hackread.com
Hackers Exploiting EC2 Instance Metadata Vulnerability to Attacks Websites Hosted - Since mid-March 2025, threat actors have been exploiting a combination of Server-Side Request Forgery (SSRF) vulnerabilities and Amazon’s EC2 Instance Metadata Service (IMDSv1) to steal sensitive credentials, enabling unauthorized access to cloud ...
1 month ago Cybersecuritynews.com
What to do when receiving unprompted MFA OTP codes - Receiving an unprompted one-time passcode sent as an email or text should be a cause for concern as it likely means your credentials have been stolen. One of the initial components of a cyberattack is the theft of legitimate credentials to corporate ...
1 year ago Bleepingcomputer.com
Microsoft is bringing the Linux sudo command to Windows Server - Microsoft is bringing the Linux 'sudo' feature to Windows Server 2025, offering a new way for admins to elevate privileges for console applications. Superuser do, or sudo, is a Linux console program that allows low-privileged users to execute a ...
1 year ago Bleepingcomputer.com
New Phishing Attack Targeting Amazon Prime Users To Steal Login Credentials - A sophisticated phishing campaign targeting Amazon Prime users has emerged, leveraging counterfeit renewal notifications to harvest login credentials, payment details, and personal verification data. Clicking the button redirects users to a fake ...
3 months ago Cybersecuritynews.com
CVE-2024-0455 - The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` ...
1 year ago Tenable.com
Why Have Big Cybersecurity Hacks Surged in 2023? - Payments made to hackers who hold systems hostage for ransom increased by almost half through September, according to blockchain analytics firm Chainalysis Inc., totaling almost $500 million in payouts. In just the past few months, hackers have ...
1 year ago Bloomberg.com LockBit
Google links WinRAR exploitation to Russian, Chinese state hackers - Google says that several state-backed hacking groups have joined ongoing attacks exploiting a high-severity vulnerability in WinRAR, a compression software used by over 500 million users, aiming to gain arbitrary code execution on targets' systems. ...
1 year ago Bleepingcomputer.com CVE-2023-38831 CVE-2023-40477 APT28
Amazon Wins $274m Tax Battle With EU - Defeat for European Commission after court rules Amazon does not have to pay 250m euros in back taxes to Luxembourg. The European Commission and EU antitrust chief Margrethe Vestager have been handed a defeat in their attempts to crack down on ...
1 year ago Silicon.co.uk
Datadog Report Surfaces Pair of Sophisticated AWS Attacks - A report published by Datadog suggests that cybercriminal activity aimed specifically at cloud infrastructure services provided by Amazon Web Services are increasing in terms of both sophistication and scale. In one case, a malicious user was able to ...
1 year ago Securityboulevard.com