In a significant development within the realm of cybersecurity, researchers have successfully demonstrated a method for exfiltrating sensitive data from AI-powered code execution environments utilizing domain name system (DNS) queries. This unsettling revelation raises awareness of potential vulnerabilities inherent in cloud-based AI tools, particularly in the context of Amazon Web Services (AWS).
The investigative findings, outlined in a report published by Phantom Labs Research on March 16, focus specifically on the AWS Bedrock AgentCore Code Interpreter. The researchers delve into how attackers may exploit this technology to circumvent expected network restrictions imposed in Sandbox Mode, all in an effort to access sensitive data housed within cloud resources. This new technique brings to light a serious risk that organizations using cloud-based AI solutions need to be aware of.
Central to the vulnerability is the ongoing activity of DNS resolution capabilities, which continue to function even when outbound network connections are otherwise blocked. According to the findings of the researchers, this characteristic enables the embedding of malicious instructions within files, providing a covert channel for command-and-control (C2) operations. Essentially, attackers could manipulate the AI processing to create a backdoor, allowing them to extract sensitive information.
### Mechanics of the Attack
The attack initiated by these researchers begins with the crafting of a malicious CSV file that contains embedded commands. Once this file is processed by the AI agent and the Code Interpreter prepares to execute its content, the embedded malicious directives can influence the subsequent generation of the corresponding Python code. Instead of performing the expected standard analyses, this modified code may establish communication with an external C2 server through DNS queries. The result is a method by which the system continuously polls the server using DNS requests and executes any commands that are returned.
During their testing, the researchers demonstrated a variety of capabilities that can be achieved through this approach. They executed basic commands such as “whoami,” allowing them to identify the user in the sandbox environment. Further probing revealed that they could also list available Amazon S3 buckets and their corresponding contents. Alarmingly, the attack enabled the researchers to extract complete file contents, which could potentially include sensitive credentials, personal data, and financial information. Notably, throughout these activities, the environment erroneously continued to report that network access had been disabled, demonstrating a critical flaw in the security measures in place.
Ram Varadarajan, CEO of Acalvio, commented on the research findings, pointing out that they expose a deeper architectural issue. “The AWS Bedrock’s sandbox isolation failed at the most fundamental layer, DNS,” he stated, emphasizing that the lesson learned is not simply that AWS has a bug, but that perimeter controls in place may be fundamentally inadequate against evolving threats presented by agentic AI execution environments.
### Implications for Cloud Security
The implications of these findings extend further, particularly in how risks escalate when Code Interpreter instances are granted overly permissive identity and access management (IAM) roles. In specific configurations, the interpreter may inherit roles that were originally designed for other AgentCore services, which may require broader access than intended. For instance, the default AgentCore Starter Toolkit role can encompass wide-ranging permissions that could be exploited if an attacker gains manipulative control over code execution within the interpreter.
Jason Soroko, a senior fellow at Sectigo, warned organizations about the limitations of the “Sandbox” network mode in AWS Bedrock AgentCore Code Interpreter, asserting that it does not furnish complete isolation from external networks.
### AWS’s Reaction and Security Recommendations
In light of the research findings, AWS conducted a review and concluded that the observed behavior is part of the system’s intended functionality rather than a direct vulnerability. As a response, instead of issuing a patch, the company chose to update its documentation, clarifying that Sandbox Mode does allow for limited external network access and DNS resolution.
Given that this situation has been classified as intentional, Soroko insists that organizations must adjust their security postures accordingly. “To protect sensitive workloads, administrators should conduct an inventory of all active AgentCore Code Interpreter instances and promptly migrate any handling critical data from Sandbox mode to VPC mode,” he advised.
The study represents a broader challenge as AI systems become capable of executing code and interacting with various infrastructures. Without strict permission boundaries and stringent network controls, automated agents might inadvertently serve as conduits for data exposure, underlining the need for organizations to carefully consider their security protocols as they leverage cloud-based AI solutions.