Suspicious AWS API calls indicating new image being pushed to AWS ECR with latest tag
Description
AlphaSOC detected the use of the PutImage action with "imageTag": "latest"
to create or update an image manifest and its associated tags in Amazon Elastic
Container Registry (ECR). This activity suggests potential malicious intent,
such as preparing for container-based attacks, establishing persistence, or
poisoning the CI/CD pipeline. While ECR image uploads are common in cloud
environments, they can also be leveraged by adversaries to introduce malicious
containers.
Impact
The use of PutImage with the latest tag could allow adversaries to replace
existing images with malicious versions, potentially leading to the execution of
unauthorized code within the container environment. This can result in data
breaches, resource hijacking, lateral movement within the network, or serve as a
foothold for further attacks. Compromised container images may also be used to
exfiltrate sensitive data or mine cryptocurrency.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Investigate the source and content of the uploaded image. Verify if the upload was authorized and performed by a legitimate user. Scan the image for vulnerabilities and malware. If the image is determined to be malicious, remove it from ECR immediately. Review access logs and user permissions for ECR. If compromise is confirmed, rotate credentials and review other potentially affected resources.