Cyber security researchers have revealed a new type of name confusion attacks called WHOAMI who to publish Amazon Machine Image (Ami) with a specific name to get code execution within Amazon Web Services (AWS) account. Allows.
“If the scale is executed on the scale, this attack can be used to get access to thousands of accounts,” the researcher of Data Dog Security Labs Seth Art said in a report shared with hackers news. “Weak patterns can be found in many private and open source code repository.”
In its heart, the attack is a superstition of a supply chain attack that involves publishing a malicious resource and tricking the misunderstanding software in using it rather than a valid counterpart.
The attack takes advantage of the fact that anyone can do AMI, which refers to a virtual machine image, used in AVS to boot elastic compute cloud (EC 2) examples, community catalogs and this For facts that developers can leave to mention. “Specialty when searching for one through EC2: EXCRESSIMages API.
Saying different ways, the attack of confusion requires the three conditions below when the AMI ID is reinforced through an afflicted API –
- Use of name filter,
- Failure to specify the owner, owner-alias, or owner-ID parameters,
- Getting the most recently created image from the returned list of matching images (“Most_recent = True”)
This leads to a landscape where an attacker can create a malicious AMI, which can create a malicious AMI with a name that matches the pattern specified in the search criteria, resulting in the use of the actor’s dopelgagger AMI. By creating an EC2 example.
This, in turn, grants the remote code execution (RCE) capabilities on the example, allowing the danger actors to start various exploitation works.
https://www.youtube.com/watch?v=l-wexfjd-bo
All an attacker needs an AWS account to publish its backdoor AMI in the public community AMI Catalog and opt for a name that matches the AMIS sought by its goals by AMIS.
“This dependence is similar to an attack of confusion, except that in the latter, malicious resource is a software dependence (such as a PIP package), while the whoami name is in confusion attack, malicious resource is a virtual machine image,” said that art said. .
Datadog said that about 1% of the organizations monitored by the company were influenced by the WHOAMI attack, and that it was found using public examples of the code written in Python, GO, Java, Terraform, Pulumi, and Bash Shell. .
After disclosure responsible on 16 September 2024, the issue was addressed by Amazon three days later. On arriving for the comment, AWS told Hacker News that he found no evidence that the technique was abused in the wild.
“All AWS services are functioning as designs. Based on comprehensive log analysis and monitoring, our investigation confirmed that the technology described in this research has been executed by authorized researchers themselves, including any other parties by any other parties. There is no evidence of use, “the company. Said.
“This technique can affect customers who recover the Amazon machine image (AMI) ID through EC2: Describe API without specifying the owner value. In December 2024, we have allowed AMIS, a New account-wide settings that enable customers to limit the search and use AMIS within their AWS accounts we evaluate and implement this new safety control. “
By last November, Hashicorp Terraform has started issuing warnings to users, when “Most_Recent = True” is used without a owner filter in the Terraform-Provider-AWS version 5.77.0. The warning clinical is expected to upgrade an error effective version 6.0.0.
