Mitiga Recommends AWS Customers Running Community AMIs to Verify Them for Malicious Code

Mitiga, an Incident Readiness & Response company, is issuing a global advisory warning AWS customers running EC2 instances based on Community AMIs (Amazon Machine Instances), from potentially embedded malicious code, the company said.

AWS customers are strongly advised to verify Community AMI integrity before continuing using them on EC2 instances.

It is in Mitiga´s further assessment that AMIs provided by trusted vendors on the AWS Marketplace do not present any such risk.

At a recent customer engagement with a financial institution, Mitiga was asked to assess its environment´s cloud resiliency, in order to be better prepared for a possible security incident. As part of our assessment of the organization´s AWS environment against a bank of attack scenarios, Mitiga´s security specialists discovered an active Monero crypto miner on one of the company´s EC2 servers.

Further investigation indicated the malicious code containing the crypto miner was packaged into a ´Microsoft Windows — Server 2008´ Community AMI used to create the EC2 server instance.

The malicious party that published this AMI on the AWS Marketplace designed it to execute a form of financial fraud: Bill AWS customer accounts for compute, while extracting crypto on the other end.

As this malicious AMI may indicate a phenomenon, rather than an isolated occurrence, it is in Mitiga´s professional opinion that the potential risk posed by to AWS customers warrants the rather dramatic advisory warning being issued. Therefore, out of an abundance of caution, companies utilizing Community AMIs are recommend to verify, terminate, or seek AMIs from trusted sources for their EC2 instances.

Mitiga provides remote Incident Readiness & Response services to clients that operate hybrid and full cloud environments. Using managed services infused with a reimagined Incident Response technology Stack, Mitiga bolsters organizations´ security resiliency, accelerating their post-incident bounce-back to Business-as-Usual, from days down to hours. For more information, go to: