- The best VPN services for torrenting in 2024: Expert tested and reviewed
- Join Sam's Club for just $15 - the lowest price ever. Here's how
- Copilots and low-code apps are creating a new 'vast attack surface' - 4 ways to fix that
- I replaced my Bose with the Nothing Open - now I only want to run with them on
- Docker State of Application Development Survey 2024: Share Your Thoughts on Development | Docker
Threat Actors Use AWS SSM Agent as a Remote Access Trojan
Threat actors have been observed using Amazon Web Services (AWS) ‘s System Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines.
According to a new security report published by Mitiga today, the post-exploitation technique allows attackers to control the agent using a separate, maliciously owned AWS account, potentially enabling them to conduct various malicious activities.
AWS Systems Manager is a powerful tool designed to automate operational tasks and manage AWS resources. The SSM agent is a component that facilitates communication between the Systems Manager service and EC2 (Elastic Compute Cloud) instances or on-premises servers.
Read more on AWS-focused attacks: Organizations Warned of New Attack Vector in Amazon Web Services
In its report, Mitiga researchers Ariel Szarf and Or Aspir said that the popularity and trust associated with the SSM agent had led attackers to misuse it for their benefit.
Since Amazon signs the SSM agent binary, it often bypasses traditional antivirus and endpoint detection systems, making it harder to detect malicious activities.
Moreover, attackers can control the agent from their AWS accounts, making the communication appear legitimate, further evading detection.
Mitiga’s research demonstrated two potential attack scenarios. The first scenario involves hijacking the original SSM agent process and registering it with a different AWS account. The attackers then gain complete control over the compromised endpoint, with the agent functioning as a legitimate SSM agent.
The second scenario involves running a separate SSM agent process, allowing the attacker to manipulate the endpoint while the original agent continues to function normally.
Mitiga has shared its research and findings with the AWS security team. They also offered recommendations for mitigating this threat, including reconsidering the SSM agent’s inclusion on allow lists in AV or EDR solutions and implementing detection techniques to identify instances of this threat proactively.
Editorial image credit: Tada Images / Shutterstock.com