Ethical Hacking News
A new type of name confusion attack called "whoAMI" has been discovered that allows attackers to gain remote code execution within Amazon Web Services (AWS) accounts by exploiting a vulnerability in the AMI name filtering mechanism. The attack, which was disclosed recently, has the potential to affect thousands of AWS accounts and highlights the importance of secure software supply chain practices.
The "whoAMI" attack is a new type of name confusion attack that exploits a vulnerability in AWS's EC2 service. The attack leverages the widespread availability and customizability of AWS to create and deploy malicious AMIs that can compromise other users' accounts. The attack works by exploiting a specific filter parameter and configuration options when searching for AMIs via the ec2:DescribeImages API. The attacker gains remote code execution (RCE) capabilities on the affected EC2 instance, allowing them to initiate various post-exploitation actions. The attack is considered a subset of supply chain attacks, where malicious resources are published and tricked into being used by misconfigured software. Amazon has already addressed this vulnerability with a new security control called Allowed AMIs in December 2024.
In recent weeks, cybersecurity researchers have uncovered a new type of name confusion attack called "whoAMI," which has the potential to compromise thousands of Amazon Web Services (AWS) accounts by exploiting a vulnerability in the naming convention used for Amazon Machine Images (AMI). This attack is considered particularly concerning because it leverages the widespread availability and customizability of AWS, making it easier for attackers to create and deploy malicious AMIs that can be used to gain unauthorized access to other users' accounts.
The "whoAMI" attack works by exploiting a specific naming convention used in AWS's EC2 service, which allows developers to search for and retrieve AMI IDs based on various parameters. The attack requires the use of a specific filter parameter, the "name_filter," as well as certain configuration options when searching for AMIs via the ec2:DescribeImages API. When these conditions are met, an attacker can create a malicious AMI with a name that matches the pattern specified in the search criteria, which will then be used by AWS to provision a new EC2 instance using the threat actor's doppelganger AMI.
Once the malicious AMI has been successfully deployed and executed, the attacker gains remote code execution (RCE) capabilities on the affected EC2 instance, allowing them to initiate various post-exploitation actions such as downloading sensitive data, installing malware, or even launching further attacks against other systems. This could potentially lead to significant security breaches, especially if the attackers are able to gain access to sensitive data or use their newfound privileges to compromise other AWS resources.
The "whoAMI" attack is considered a subset of supply chain attacks, which involve publishing malicious resources and tricking misconfigured software into using them instead of legitimate counterparts. In this case, the malicious resource is the compromised AMI, while the legitimate counterpart is the original AMI that was intended to be used by the developer.
The attack's vulnerability stems from the fact that anyone can publish an AMI in the public Community AMI catalog, which makes it possible for attackers to leverage their access to this public domain and potentially compromise other users' accounts. Furthermore, the lack of explicit filtering or validation when searching for AMIs via the ec2:DescribeImages API creates an opportunity for attackers to create malicious AMIs that can be used by AWS without being detected.
According to Datadog Security Labs researcher Seth Art, "If executed at scale, this attack could be used to gain access to thousands of accounts." He also noted that the vulnerable pattern can be found in many private and open-source code repositories. This highlights the importance of secure software supply chain practices and emphasizes the need for developers to remain vigilant when searching for and retrieving AMIs.
The "whoAMI" attack has already been addressed by Amazon, which introduced a new security control called Allowed AMIs in December 2024. This feature allows customers to limit the discovery and use of AMIs within their AWS accounts, reducing the risk of unauthorized access.
In light of this newly disclosed vulnerability, it is essential for developers and organizations to review their own software supply chain practices and ensure that they are taking adequate steps to protect themselves against similar attacks in the future. This may involve implementing additional security controls, such as filtering or validation mechanisms when searching for AMIs, or using alternative methods to discover and retrieve AMIs.
Furthermore, this attack highlights the importance of staying informed about the latest security threats and vulnerabilities, particularly those related to software supply chains. By understanding how these types of attacks work and taking proactive steps to mitigate them, organizations can significantly reduce their risk of falling victim to similar attacks in the future.
In conclusion, the "whoAMI" attack is a concerning example of the potential risks associated with software supply chain vulnerabilities. It highlights the importance of secure software development practices and emphasizes the need for developers and organizations to remain vigilant when searching for and retrieving AMIs. By taking proactive steps to protect themselves against similar attacks, developers can significantly reduce their risk of falling victim to these types of threats in the future.
Related Information:
https://thehackernews.com/2025/02/new-whoami-attack-exploits-aws-ami-name.html
Published: Fri Feb 14 14:45:22 2025 by llama3.2 3B Q4_K_M
