Amazon EC2 Instances Targeted by whoAMI Attacks that Could Allow Hackers to Execute Code.

A vulnerability called WhoAMI has been identified in Amazon Machine Image (AMI), which allows malicious actors to gain remote code execution (RCE) capabilities on users' AWS accounts. This issue was discovered in the summer of 2024 by cybersecurity researchers at DataDog, and it has been confirmed by Amazon, which has already implemented a solution and urged users to update their code to protect their systems.

AMIs are preconfigured templates used to create and launch virtual servers (EC2 instances) on AWS. They include an operating system, application software, and necessary configurations such as storage and permissions, allowing users to deploy environments quickly and efficiently, whether using images provided by AWS, community AMIs, or custom AMIs.

Researchers found that the method by which software projects retrieve AMI identifiers had a flaw, creating the potential for a malicious actor to execute code remotely in users' AWS accounts. This attack relies on a name confusion, where an attacker publishes an AMI with a name that follows the format of trusted owners, which could inadvertently be selected by the system.

DataDog noted that although only a small percentage of AWS users are vulnerable, this represents "thousands" of accounts. Amazon issued a patch in mid-September of the previous year and introduced a new security control called "Allowed AMIs" in early December, recommending that all users apply these updates, although there is no evidence that the vulnerability has been exploited.