For a few years now, attackers have pivoted from utilizing primarily customized automated malware to assaults that contain hands-on hacking by way of utilities that exist already on computer systems. Often known as dwelling of the land, this method additionally extends to cloud infrastructure by leveraging providers and instruments cloud suppliers make accessible as a part of their ecosystem.
Researchers from incident response agency Mitiga just lately confirmed how the AWS Techniques Supervisor (SSM) agent may very well be hijacked by attackers and become a distant entry trojan (RAT). The SSM agent is a device that AWS clients can deploy on EC2 cases, on-premises servers, in addition to digital machines in different clouds to allow their distant administration and monitoring by way of the AWS-native Techniques Supervisor service.
“The idea is simple: when an attacker efficiently positive factors preliminary execution on an endpoint that already has an put in SSM agent, moderately than importing a separate business or internally developed backdoor or RAT, they’ll exploit the prevailing SSM agent to regulate the endpoint, successfully turning it right into a RAT itself,” the Mitiga researchers mentioned of their report.
“By executing instructions from a separate, maliciously owned AWS account, the actions carried out by the SSM agent will stay hidden throughout the unique AWS account, leaving no hint of the intrusion.”
Some great benefits of hijacking an SSM agent
The SSM agent is a robust device that permits distant execution of instructions and gathering of knowledge concerning the machine, a lot as a trojan program would. The distinction is that the SSM agent is open supply, is developed and digitally signed by Amazon, and is preinstalled on many Amazon Machine Photographs (AMIs) that clients can deploy on their EC2 cases comparable to Amazon Linux, SUSE Linux Enterprise, macOS and Home windows Server. It is also current inside some system photos offered by third events on the AWS Market or developed by the group.
The highest profit for attackers is that the SSM agent is already whitelisted by many endpoint detection and response (EDR) or antivirus options which are more likely to be deployed on an AWS-managed server. Zero out of 71 antivirus engines of VirusTotal flagged the binary as malicious.
