InfoSecBulletin Cybersecurity for mankind
Security researchers disclosed a cirtical flaw in Amazon Elastic Container Service (ECS) that enables harmful containers to steal AWS credentials from other tasks on the same EC2 instance.
The attack, dubbed “ECScape,” exploits an undocumented internal protocol to impersonate the ECS agent and harvest privileged credentials without requiring container breakout.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Vulnerability Overview:
The ECScape attack takes advantage of a basic mistake in how ECS handles IAM credentials on shared EC2 instances.
Running multiple containers with varying privilege levels on the same host can lead to security risks. A low-privileged container could exploit the ECS Agent Communication Service (ACS) protocol to access credentials from higher-privileged tasks.
The vulnerability was discovered by security researcher Naor Haziz during development of an eBPF-based monitoring tool.
While investigating how ECS tasks retrieve metadata, Haziz observed that the ECS agent receives task credentials via a WebSocket connection to AWS’s control plane with a suspicious “sendCredentials=true” parameter.
AWS advises ECS users to take protective measures. Key strategies include not deploying high-privilege tasks with untrusted containers on shared instances, using dedicated hosts for critical services, or switching to AWS Fargate for isolated task environments.
Additional protections involve restricting IMDS access through the ECS_AWSVPC_BLOCK_IMDS setting, enforcing IMDSv2, and implementing least-privilege IAM policies.
Organizations should remove unnecessary Linux capabilities to reduce post-compromise risks.
The disclosure emphasizes key security aspects of container orchestration platforms and the need to grasp isolation boundaries in cloud environments.
While AWS has not indicated plans to modify the underlying architecture, the research emphasizes why Fargate’s micro-VM isolation provides stronger security guarantees for sensitive workloads.
