- Apple fans will love this versatile Qi2 charging station that I found on Amazon (and it's on sale)
- How to use AirPods Pro 2 as hearing aids - and protect your hearing with them, too
- IPConsul automates operations with Cisco’s industrial IoT secure networking
- Cash App user have a few days left to claim up to a $2,500 settlement payout
- This Roku soundbar turned my old TV into an immersive 4K theater experience
Threat Actors Use AWS SSM Agent as a Remote Access Trojan
Threat actors have been observed using Amazon Web Services (AWS) ‘s System Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines.
According to a new security report published by Mitiga today, the post-exploitation technique allows attackers to control the agent using a separate, maliciously owned AWS account, potentially enabling them to conduct various malicious activities.
AWS Systems Manager is a powerful tool designed to automate operational tasks and manage AWS resources. The SSM agent is a component that facilitates communication between the Systems Manager service and EC2 (Elastic Compute Cloud) instances or on-premises servers.
Read more on AWS-focused attacks: Organizations Warned of New Attack Vector in Amazon Web Services
In its report, Mitiga researchers Ariel Szarf and Or Aspir said that the popularity and trust associated with the SSM agent had led attackers to misuse it for their benefit.
Since Amazon signs the SSM agent binary, it often bypasses traditional antivirus and endpoint detection systems, making it harder to detect malicious activities.
Moreover, attackers can control the agent from their AWS accounts, making the communication appear legitimate, further evading detection.
Mitiga’s research demonstrated two potential attack scenarios. The first scenario involves hijacking the original SSM agent process and registering it with a different AWS account. The attackers then gain complete control over the compromised endpoint, with the agent functioning as a legitimate SSM agent.
The second scenario involves running a separate SSM agent process, allowing the attacker to manipulate the endpoint while the original agent continues to function normally.
Mitiga has shared its research and findings with the AWS security team. They also offered recommendations for mitigating this threat, including reconsidering the SSM agent’s inclusion on allow lists in AV or EDR solutions and implementing detection techniques to identify instances of this threat proactively.
Editorial image credit: Tada Images / Shutterstock.com