Cybersecurity researchers have unveiled a novel post-exploitation method operating within Amazon Web Services (AWS), which transforms the AWS Systems Manager Agent (SSM Agent) into a remote access trojan for Windows and Linux environments. The SSM agent, originally a legitimate tool designed for administrators, can be repurposed by attackers with elevated access to execute continuous malicious activities, thus maintaining unauthorized access to compromised systems.
This newly discovered technique enables attackers to manipulate the SSM Agent’s trusted infrastructure to perform a range of harmful actions without deploying additional detectable malware.
Mitiga researchers Ariel Szarf and Or Aspir, in collaboration with The Hacker News, emphasize the potential dangers of this technique. The SSM Agent, ordinarily employed for the management of AWS resources, is exploited as a trojan due to its trusted status, evading endpoint security solutions and thereby eliminating the necessity of deploying potentially detectable malware.
A malevolent actor can even exploit their own malicious AWS account as a command-and-control (C2) to remotely oversee the compromised SSM Agent, further obfuscating the attack.
Mitiga’s analysis details specific post-exploitation procedures, such as registering the SSM Agent in “hybrid” mode to communicate with various AWS accounts, executing commands from an attacker-controlled account. An alternative tactic leverages Linux namespaces to launch a second SSM Agent process that communicates with the attacker’s AWS account, while the existing SSM Agent continues interactions with the original AWS account.
Additionally, the researchers discovered that the SSM proxy feature can be exploited to route SSM traffic to an attacker-controlled server, irrespective of AWS infrastructure.
To mitigate risks, organizations are advised to remove SSM binaries from antivirus allow lists, promptly detecting suspicious activity, and ensure EC2 instances respond only to commands originating from the original AWS account through the Systems Manager’s Virtual Private Cloud (VPC) endpoint.
The report underscores the potential for attackers to engage in harmful activities like data theft, ransomware encryption, cryptocurrency mining, and network propagation while leveraging the guise of the legitimate SSM Agent.
