Home Security Researchers Uncover AWS SSM Agent Misuse as a Covert Distant Entry Trojan

Researchers Uncover AWS SSM Agent Misuse as a Covert Distant Entry Trojan

by crpt os


Aug 02, 2023THNCloud Security / Cyber Threat

Cybersecurity researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows the AWS Systems Manager Agent (SSM Agent) to be run as a remote access trojan on Windows and Linux environments

“The SSM agent, a legitimate tool used by admins to manage their instances, can be re-purposed by an attacker who has achieved high privilege access on an endpoint with SSM agent installed, to carry out malicious activities on an ongoing basis,” Mitiga researchers Ariel Szarf and Or Aspir said in a report shared with The Hacker News.

“This allows an attacker who has compromised a machine, hosted on AWS or anywhere else, to maintain access to it and perform various malicious activities.”

SSM Agent is a software installed on Amazon Elastic Compute Cloud (Amazon EC2) instances that makes it possible for administrators to update, manage, and configure their AWS resources through a unified interface.

Cybersecurity

The advantages of using an SSM Agent as a trojan are manifold in that it is trusted by endpoint security solutions and eliminates the need for deploying additional malware that may trigger detection. To further muddy the waters, a threat actor could use their own malicious AWS account as a command-and-control (C2) to remotely supervise the compromised SSM Agent.

The post-exploitation techniques detailed by Mitiga presupposes that an attacker already has permissions to execute commands on the Linux or Windows endpoint that also has an SSM Agent installed and running.

Specifically, it entails registering an SSM Agent to run in “hybrid” mode, allowing it to communicate with different AWS accounts other than the original AWS account where the EC2 instance is hosted. This causes the SSM Agent to execute commands from an attacker-owned AWS account.

An alternative approach uses the Linux namespaces feature to launch a second SSM Agent process, which communicates with the attacker’s AWS account, while the already running SSM agent continues to communicate with the original AWS account.

Cybersecurity

Last but not least, Mitiga found that the SSM proxy feature can be abused to route the SSM traffic to an attacker-controlled server, including a non-AWS account endpoint, thereby permitting the threat actor to control the SSM Agent without having to rely on AWS infrastructure.

Organizations are recommended to remove the SSM binaries from the allow list associated with antivirus solutions to detect any signs of anomalous activity and ensure that EC2 instances respond to commands that only come from the original AWS account using the Virtual Private Cloud (VPC) endpoint for Systems Manager.

“After controlling the SSM Agent, the attackers can carry out malicious activities, such as data theft, encrypting the filesystem (as a ransomware), misusing endpoint resources for cryptocurrency mining and attempting to propagate to other endpoints within the network – all under the guise of using a legitimate software, the SSM Agent,” the researchers said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex