Security Advisory: Mitiga Recommends All AWS Customers Running Community AMIs to Verify Them for Malicious Code

Out of an abundance of caution, Community AMIs currently utilized on EC2 instances should be verified, terminated or replaced by AMIs exclusively from trusted sources.

TEL-AVIV--()--Mitiga, an Incident Readiness & Response company, is issuing a global advisory warning AWS customers running EC2 instances based on Community AMIs (Amazon Machine Instances), from potentially embedded malicious code. AWS customers are strongly advised to verify Community AMI integrity before continuing using them on EC2 instances.

It is in Mitiga’s further assessment that AMIs provided by trusted vendors on the AWS Marketplace do not present any such risk.

At a recent customer engagement with a financial institution, Mitiga was asked to assess its environment's cloud resiliency, in order to be better prepared for a possible security incident. As part of our assessment of the organization’s AWS environment against a bank of attack scenarios, Mitiga’s security specialists discovered an active Monero crypto miner on one of the company's EC2 servers.

Further investigation indicated the malicious code containing the crypto miner was packaged into a ‘Microsoft Windows – Server 2008’ Community AMI used to create the EC2 server instance.

The malicious party that published this AMI on the AWS Marketplace designed it to execute a form of financial fraud: Bill AWS customer accounts for compute, while extracting crypto on the other end.

Equally, an adversary could have planted a backdoor, allowing a threat actor to connect to the Windows machine and leverage it to access other areas of the environment, potentially accessing the entire EC2 infrastructure of the affected AWS account. Another viable threat scenario would be the planting of ransomware with a delayed trigger.

“Embracing community-sourced code within business-critical environments introduces significant risk,” said Mitiga Co-Founder & CTO, Ofer Maor. “This is yet another example of the risks posed by today’s cloud marketplaces, offering easy to use solutions, while introducing risks of embedding insecure or malicious code and binaries, oftentimes from unknown sources.”

As this malicious AMI may indicate a phenomenon, rather than an isolated occurrence, it is in Mitiga’s professional opinion that the potential risk posed by to AWS customers warrants the rather dramatic advisory warning being issued. Therefore, out of an abundance of caution, companies utilizing Community AMIs are recommend to verify, terminate, or seek AMIs from trusted sources for their EC2 instances.

About Mitiga:

Mitiga provides remote Incident Readiness & Response services to clients that operate hybrid and full cloud environments. Using managed services infused with a reimagined Incident Response technology stack, Mitiga bolsters organizations’ security resiliency, accelerating their post-incident bounce-back to Business-as-Usual, from days down to hours. For more information, go to:


Press Contact: Roi Carthy |


Press Contact: Roi Carthy |