Mitiga at RSAC 2025: Visit our booth, attend speaking sessions, and schedule a meeting with us!

Based on recent research and analysis, we are issuing a global advisory, warning AWS customers running EC2 instances based on Community AMIs (Amazon Machine Instances), from potentially embedded malicious code. We strongly advise verifying their security before continuing using these instances.

In our further assessment, AMIs provided by trusted vendors on the AWS Marketplace do not present any such risk.

TL;DR for AWS Customers Using Community AMIs

  • Mitiga’s security research team has identified an AWS Community AMI containing malicious code running an unidentified Monero crypto miner.
  • We have concerns this may be a phenomenon, rather than an isolated occurrence.
  • Vulnerabilities of this sort pose significant risk, as embedded code can potentially include malware, ransomware or other type of attack tools.
  • We advise AWS customers running EC2 instances based on Community AMIs to either verify them, terminate them, or replace them with ones provided by an AWS trusted vendor.

Background

At a recent customer engagement with a financial institution, we were asked to assess its environment’s cloud resiliency, in order to be better prepared for a possible incident.

As part of our assessment of the organization’s AWS environment against a bank of attack scenarios, we discovered an active crypto miner on one of the company’s EC2 servers.

The crypto miner didn’t find itself there by means of an exploit or misconfiguration — rather, it was there the entire time, courtesy of the AMI that was used to create the EC2 instance it was running in from the get-go.

Learn how to  respond effectively to a ransomware attack and get back to business-as-usual.

Don’t Take Candy from Strangers

Many companies walk a tightrope between migrating to cloud-based technologies on the one end, and keeping legacy applications functioning, on the other.

If you’re running a DevOps team that needs to set-up an application designed for, in this particular case, Microsoft Windows — Server 2008, AMIs are a great functional solution. However, greater vigilance needs to be taken when applying ‘Open Source’ sensibilities. That is, embracing community-sourced code, within business-critical environments.

True, some Community AMIs can often be cost-conscious solutions, but those savings need to be counter-weighed with the risks posed by binaries whose origin and contents are murky at best, or completely unknown, at worst.

Image for post

Uh Oh. And, Oh No…

When we inspected the Windows Server 2008 Community AMI we immediately identified an embedded Monero crypto miner.

Image for post

This means that the malicious party that published this AMI designed it to execute a form of financial fraud: It was designed to bill AWS customer accounts for compute, while extracting crypto on the other side.

Just as easily, however, an adversary could have planted a backdoor, allowing a threat actor to connect to the Windows machine and leverage it to access other areas of the environment, potentially accessing the entire EC2 infrastructure of the affected AWS account.

Another viable threat scenario would be the planting of ransomware with a delayed trigger. The victim organization would set-up a production server based on the AMI without suspecting anything. After several months, the ransomware would fire-up and encrypt the storage connected to the server.

Security Advisory for Community AMIs

The ease of making malicious AMIs available for public use, in our opinion, warrants the rather dramatic advisory warning we are issuing.

Out of an abundance of caution, if you are utilizing such a Community AMI, we recommend verifying or terminating these instances, and seeking AMIs from trusted sources.

Ransomware Readiness: Protecting Your Enterprise Against Today’s Most Dangerous Cyberthreats

LAST UPDATED:

May 4, 2024

Don't miss these stories:

Make Cloud Attacks Yesterday’s Problem with Mitiga at RSA Conference 2025

Visit Mitiga at booth number N-4618 at RSA Conference 2025 to learn about cloud detection and response.

Uncovering Hidden Threats: Hunting Non-Human Identities in GitHub

In the last few days, two compromised GitHub Actions are actively leaking credentials, and a large-scale OAuth phishing campaign is exploiting developer trust.

Can vulnerabilities in on-prem resources reach my cloud environment?

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

How Transit Gateway VPC Flow Logs Help Incident & Response Readiness

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.

Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On?

On September the 16th, Uber announced they experienced a major breach in their organization in which malicious actor was able to log in and take over multiple services and internal tools used at Uber. What are some of the logs that IR teams should be focusing on in their investigation?