FlagThis

A new type of name confusion attack called whoAMI that allows anyone who publishes an Amazon Machine Image (AMI) with a specific name to gain code execution within the Amazon Web Services (AWS) account. An AMI is a pre-configured virtual machine template used to launch EC2 instances in AWS. Attackers can exploit this by publishing a malicious AMI with a matching name and newer timestamp, tricking automated infrastructure-as-Code (IaC) tools like Terraform into selecting a compromised image.

Abandoned AWS S3 buckets used by various software projects, governments, and infrastructure deployment pipelines, now pose security risks.

Researchers have uncovered a critical security vulnerability in abandoned Amazon Web Services (AWS) S3 buckets that could enable attackers to hijack the global software supply chain. Attackers can re-register these abandoned buckets and serve malicious files to applications and tools that look for them, potentially leading to remote code execution and other security compromises. Researchers from security firm watchTowr identified approximately 150 AWS S3 storage buckets once used by various software projects to host sensitive scripts, configuration files, software updates, and other binary artifacts that were automatically downloaded and executed on user machines. Over a two-month period, the buckets received around 8 million HTTPS requests for all sorts of files, with requests coming from IP addresses registered to government agencies from several countries, including the US and the UK, military networks, Fortune 500 companies, payment card networks, industrial product manufacturers, banks and other financial organizations, universities, software vendors, and even cybersecurity companies.

A new ransomware campaign is exploiting Amazon Web Services’ (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt S3 buckets. The attackers use encryption keys unknown to the victims and demand ransoms for the decryption keys. This attack abuses a legitimate AWS feature, creating a very difficult situation for its victims who cannot recover their data without the decryption key. The ransomware crew has been dubbed ‘Codefinger’.