Cybersecurity Researchers Discover Post-Exploitation Method in Amazon Web Services Cloud Services
Cybersecurity researchers have recently uncovered a new post-exploitation method within the cloud services of Amazon Web Services (AWS). This method allows attackers to utilize the AWS Systems Manager Agent (SSM-agent) as a remote access Trojan program on both Windows and Linux systems.
The SSM-agent, a legitimate tool used by administrators to manage their application copies, can be maliciously exploited by attackers with elevated privileges on the endpoint. This enables them to carry out ongoing malicious activities. Mitiga researchers explain, “This method allows an attacking, compromised device placed on AWS or anywhere else, to maintain access to it and perform various malicious actions.”
The SSM-agent is software installed on Amazon Elastic Compute Cloud (Amazon EC2) instances, providing administrators with a unified interface for updating, managing, and configuring their AWS resources.
Utilizing the SSM-agent as a Trojan offers numerous advantages to attackers. Since it is trusted by endpoint security solutions, it eliminates the need for additional malware that could be detected. Attackers can even use their own malware AWS account as a command and control server (C2 server) to remotely control compromised SSM agents, further muddying the digital footprints.
Mitiga’s analysis describes a scenario where the attacker possesses permissions in the Linux or Windows environment where the SSM-agent is installed and running.
Furthermore, researchers have also discovered that the SSM proxy server can be manipulated to intercept and control SSM traffic on a server, even one not associated with AWS. This means attackers can control the SSM-agent without relying on the AWS infrastructure.
Organizations are advised to exclude the SSM binary from antivirus solution resolution lists in order to detect any signs of abnormal activity. Additionally, they should ensure that EC2 instances only respond to commands from trusted AWS accounts using the Virtual Private Cloud (VPC) endpoint for Systems Manager.
The researchers warn, “Having gained control over the SSM agent, attackers can carry out harmful activities such as theft of data, file system encryption, illicit use of endpoints for cryptocurrency mining, and attempts to expand to other network endpoints, while masquerading as legitimate software.”