The whoAMI attack, identified by cybersecurity researchers, allows attackers to execute code within AWS accounts by exploiting name confusion when searching for AMIs. This attack requires the attacker to publish a malicious AMI with a specific name that matches a legitimate one, manipulating the search parameters in the ec2:DescribeImages API. If successful, the attacker can obtain remote code execution capabilities on the victim's EC2 instance. The researchers emphasized the widespread potential for abuse, especially given that many repositories could harbor this vulnerability.
At its heart, the attack is a subset of a supply chain attack that involves publishing a malicious resource and tricking misconfigured software into using it instead of the legitimate counterpart.
If executed at scale, this attack could be used to gain access to thousands of accounts, the vulnerable pattern can be found in many private and open source code repositories.
Collection
[
|
...
]