AWS ECR image uploaded
Description
AlphaSOC detected that an image to Elastic Container Registry (ECR) has been unexpectedly uploaded. This activity suggests potential malicious intent, such as preparing for container-based attacks, establishing persistence, or poisoning the CI/CD pipeline. While ECR image uploads are common in cloud environments, they can also be leveraged by adversaries to introduce malicious containers. Actions initiated by AWS services are exempt from the detection to avoid false positives.
Impact
Uploading malicious images to ECR can lead to the execution of unauthorized code within the cloud environment. This can result in data breaches, resource hijacking, lateral movement within the network, or serve as a foothold for further attacks. Compromised container images may also be used to exfiltrate sensitive data or mine cryptocurrency.
Severity
Severity | Condition |
---|---|
Low | ECR image uploaded unexpectedly |
Investigation and Remediation
Investigate the source and content of the uploaded image. Verify if the upload was authorized and performed by a legitimate user. Scan the image for vulnerabilities and malware. If the image is determined to be malicious, remove it from ECR immediately. Review access logs and user permissions for ECR. If compromise is confirmed, rotate credentials and review other potentially affected resources.