FlagThis

CyberSecurity updates
2025-02-22 21:15:47 Pacfic
FBI and CISA warn about continuing attacks by Chinese ransomware group Ghost
whoAMI Attack Exploits AWS AMI Name Confusion - 6d
Read more: www.csoonline.com

Cybersecurity researchers have uncovered a new "whoAMI" attack that exploits name confusion in Amazon Machine Images (AMIs) to achieve remote code execution within Amazon Web Services (AWS) accounts. The attack allows anyone publishing an AMI with a specific, crafted name to potentially gain access and execute malicious code. The vulnerability stems from misconfigured software that can be tricked into using a malicious AMI instead of a legitimate one when creating Elastic Compute Cloud (EC2) instances.

Researchers found that the attack vector requires specific conditions to be met when retrieving AMI IDs through the API, including the use of the name filter and a failure to specify the owner. An attacker can create a malicious AMI with a matching name, leading to the creation of an EC2 instance using the attacker's doppelgänger AMI. Amazon addressed the issue following a responsible disclosure in September 2024, introducing new security controls and HashiCorp Terraform implemented warnings to prevent misuse of the API.

Original img attribution: https://www.csoonline.com/wp-content/uploads/2025/02/3825098-0-19143500-1739534380-shutterstock_680076340.jpg?quality=50&strip=all&w=1024
ImgSrc: www.csoonline.com
References:
  • Talkback Resources - Cybersecurity researchers disclosed the whoAMI attack, enabling attackers to execute code within AWS accounts by tricking misconfigured software into using a malicious AMI with a specific name, prompt - 6d
  • The Hacker News - New “whoAMIâ€� Attack Exploits AWS AMI Name Confusion for Remote Code Execution - 6d
  • www.bleepingcomputer.com - Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name. - 6d
  • News | CSO Online - whoAMI name confusion attacks can expose AWS accounts to malicious code execution - 6d
  • @BleepingComputer - Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name. - 6d
  • aws.amazon.com - AWS blog post on the fix. - 5d
  • securitylabs.datadoghq.com - Datadog Security Labs report detailing the whoAMI attack. - 5d
  • Security Affairs - whoAMI attack could allow remote code execution within AWS account - 5d
  • Security Affairs - whoAMI attack could allow remote code execution within AWS account - 4d

Classification:

This site is an experimental news aggregator using feeds I personally follow. You can provide me feedback using this form or using Bluesky.