Mitiga report reveals unique way to abuse AWS Systems Manager agent

Mitiga report reveals unique way to abuse AWS Systems Manager agent

Posted on

A new report today from cloud incident response company Mitiga Security Inc. details a new potential post-exploitation technique involving Amazon Web Services Inc.’s System Manager agent.

The exploit involves the potential for the SSM agent to be used as a remote access trojan or RAT virus on both Linux and Windows machines, controlled via an attacker-owned AWS account. The researchers at Mitiga warn that the exploit could potentially be abused in real-world attacks.

AWS Systems Manager is a tool within Amazon’s suite that is designed to aid DevOps engineers in managing tasks such as patching operating systems across EC2 instances. SSM allows for the automation of these tasks and provides an integrated way to handle configuration management, patching and system monitoring.

The SSM Agent is a software component that can be installed on EC2 instances, on-premises servers or virtual machines. In AWS, SSM is often preinstalled on popular Amazon Machine Images, leading to a high possibility that many existing EC2 instances are running the SSM agent.

Although using the SSM service for malicious purposes isn’t new, Mitiga’s research involves a unique method to exploit the SSM service, allowing it to function as an integrated RAT. The method can lead to the endpoint’s agent communicating with a different AWS account, potentially owned by an attacker, rather than the original AWS account, making detection of malicious activity more challenging.

To perform an attack using the method detailed in the report, an attacker must have permission to execute commands on the Linux or Windows machine with an SSM Agent installed and running. After obtaining initial access to the machine, attackers can upload and install trojans or backdoors to maintain persistent access and gain control over the endpoint. With this access, attackers can then undertake activities such as data theft, encrypting the filesystem, misusing resources for cryptocurrency mining, or attempting to spread to other network endpoints.

Mitiga has shared its research with the AWS security team and incorporated some of its feedback into its report. For those concerned about potential infections, the report also details how to find out if a rogue agent is running and how to detect an attack involving the SSM agent communicating with a malicious AWS account.

Image: AWS

Your vote of support is important to us and it helps us keep the content FREE.

One-click below supports our mission to provide free, deep and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *