InfoSecBulletin Cybersecurity for mankind
Security researchers disclosed a cirtical flaw in Amazon Elastic Container Service (ECS) that enables harmful containers to steal AWS credentials from other tasks on the same EC2 instance.
The attack, dubbed “ECScape,” exploits an undocumented internal protocol to impersonate the ECS agent and harvest privileged credentials without requiring container breakout.
SoupDealer Malware Bypasses Every Sandbox, AV’s, XDR/EDR in Real-World Incidents
WinRAR Zero-Day and 7-Zip Vulnerability actively exploited
Biometric Clone: ₹5.58 crore loss, 251 accounts in 17 districts
Google Confirms Data Breach: Notifying Affected Users
28,000+ Microsoft Exchange Servers Exposed Online for CVE-2025-53786
Google alerts of cloud storage bucket hijacking attacks
Multiple 0-days to Bypass BitLocker and Extract Data
Amazon ECS Internal Protocol Exploited to Steal AWS Credentials
7 Tools for Automated Server Patching
Germany’s top court rules police may use spyware solely for serious crimes
Vulnerability Overview:
The ECScape attack takes advantage of a basic mistake in how ECS handles IAM credentials on shared EC2 instances.
Running multiple containers with varying privilege levels on the same host can lead to security risks. A low-privileged container could exploit the ECS Agent Communication Service (ACS) protocol to access credentials from higher-privileged tasks.
The vulnerability was discovered by security researcher Naor Haziz during development of an eBPF-based monitoring tool.
While investigating how ECS tasks retrieve metadata, Haziz observed that the ECS agent receives task credentials via a WebSocket connection to AWS’s control plane with a suspicious “sendCredentials=true” parameter.
AWS advises ECS users to take protective measures. Key strategies include not deploying high-privilege tasks with untrusted containers on shared instances, using dedicated hosts for critical services, or switching to AWS Fargate for isolated task environments.
Additional protections involve restricting IMDS access through the ECS_AWSVPC_BLOCK_IMDS setting, enforcing IMDSv2, and implementing least-privilege IAM policies.
Organizations should remove unnecessary Linux capabilities to reduce post-compromise risks.
The disclosure emphasizes key security aspects of container orchestration platforms and the need to grasp isolation boundaries in cloud environments.
While AWS has not indicated plans to modify the underlying architecture, the research emphasizes why Fargate’s micro-VM isolation provides stronger security guarantees for sensitive workloads.
