New ‘WhoAmI’ Attack Targets AWS AMI Naming to Slip Malicious Images Into Cloud Deployments
Introduction
A recently discovered cybersecurity threat, referred to as the WhoAmI attack, is taking aim at Amazon Web Services (AWS). By manipulating the naming of Amazon Machine Images (AMIs), attackers can introduce harmful images into AWS instances. This tactic allows them to bypass standard security checks and potentially gain access to confidential data and operations within the cloud environment.
How the Attack Works
Misleading AMI Names: Threat actors upload AMIs with deceptively familiar names—such as “linux-whoami” or “ubuntu-core”—into the AWS Marketplace, making them appear to be legitimate or official.
Tricked Deployment: Developers and system administrators who fail to verify AMI details might install these Trojanised images, granting attackers a foothold within their cloud infrastructure.
Potential Damage: Successful exploitation can lead to data theft, disruption of services, or further compromise of the organisation’s digital environment.
Mitigation Strategies
Verify AMI IDs: Always confirm that an AMI’s ID matches the official AWS or vendor documentation before deployment.
Enable AWS Scanning Tools: Use AWS services like Amazon Inspector or other third-party scanners to spot anomalies in AMIs.
Apply Least Privilege: Restrict user permissions and roles to ensure that even if a malicious AMI is deployed, the attacker’s capabilities remain limited.
Regular Audits: Conduct frequent reviews of deployed AMIs and related logs to identify suspicious activity.
Conclusion
AWS remains a powerful platform for businesses to scale their operations, but new threats like the WhoAmI attack highlight the importance of staying vigilant. Whether you’re a small start-up or a large enterprise, taking proactive steps to verify AMI sources and maintain strict access controls is vital to safeguarding your cloud environment.