CyberSecurity news
FlagThis
@csoonline.com
//
Cybersecurity researchers have uncovered a new "whoAMI" attack that exploits name confusion in Amazon Machine Images (AMIs) to achieve remote code execution within Amazon Web Services (AWS) accounts. The attack allows anyone publishing an AMI with a specific, crafted name to potentially gain access and execute malicious code. The vulnerability stems from misconfigured software that can be tricked into using a malicious AMI instead of a legitimate one when creating Elastic Compute Cloud (EC2) instances.
Researchers found that the attack vector requires specific conditions to be met when retrieving AMI IDs through the API, including the use of the name filter and a failure to specify the owner. An attacker can create a malicious AMI with a matching name, leading to the creation of an EC2 instance using the attacker's doppelgänger AMI. Amazon addressed the issue following a responsible disclosure in September 2024, introducing new security controls and HashiCorp Terraform implemented warnings to prevent misuse of the API.
ImgSrc: www.csoonline.c
References :
Researchers found that the attack vector requires specific conditions to be met when retrieving AMI IDs through the API, including the use of the name filter and a failure to specify the owner. An attacker can create a malicious AMI with a matching name, leading to the creation of an EC2 instance using the attacker's doppelgänger AMI. Amazon addressed the issue following a responsible disclosure in September 2024, introducing new security controls and HashiCorp Terraform implemented warnings to prevent misuse of the API.
ImgSrc: www.csoonline.c
Share:
References :
- Talkback Resources: Cybersecurity researchers disclosed the whoAMI attack, enabling attackers to execute code within AWS accounts by tricking misconfigured software into using a malicious AMI with a specific name, prompting AWS to introduce new security controls and HashiCorp Terraform to implement warnings.
- The Hacker News: New “whoAMI� Attack Exploits AWS AMI Name Confusion for Remote Code Execution
- www.bleepingcomputer.com: Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
- www.csoonline.com: whoAMI name confusion attacks can expose AWS accounts to malicious code execution
- BleepingComputer: Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name.
- aws.amazon.com: AWS blog post on the fix.
- securitylabs.datadoghq.com: Datadog Security Labs report detailing the whoAMI attack.
- securityaffairs.com: whoAMI attack could allow remote code execution within AWS account
- Security Affairs: whoAMI attack could allow remote code execution within AWS account
Classification:
- HashTags: #AWS #whoAMI #CloudSecurity
- Company: Amazon
- Target: AWS accounts
- Product: AWS
- Feature: Name Confusion Attack
- Malware: whoAMI
- Type: Hack
- Severity: Major