For a few years now, attackers have pivoted from utilizing primarily customized automated malware to assaults that contain hands-on hacking via utilities that exist already on computer systems. Often known as dwelling of the land, this method additionally extends to cloud infrastructure by leveraging companies and instruments cloud suppliers make out there as a part of their ecosystem.
Researchers from incident response agency Mitiga not too long ago confirmed how the AWS Methods Supervisor (SSM) agent might be hijacked by attackers and become a distant entry trojan (RAT). The SSM agent is a device that AWS clients can deploy on EC2 situations, on-premises servers, in addition to digital machines in different clouds to allow their distant administration and monitoring via the AWS-native Methods Supervisor service.
“The idea is easy: when an attacker efficiently positive factors preliminary execution on an endpoint that already has an put in SSM agent, relatively than importing a separate business or internally developed backdoor or RAT, they will exploit the prevailing SSM agent to regulate the endpoint, successfully turning it right into a RAT itself,” the Mitiga researchers mentioned of their report.
“By executing instructions from a separate, maliciously owned AWS account, the actions carried out by the SSM agent will stay hidden inside the authentic AWS account, leaving no hint of the intrusion.”
The benefits of hijacking an SSM agent
The SSM agent is a robust device that permits distant execution of instructions and gathering of knowledge in regards to the machine, a lot as a trojan program would. The distinction is that the SSM agent is open supply, is developed and digitally signed by Amazon, and is preinstalled on many Amazon Machine Photographs (AMIs) that clients can deploy on their EC2 situations similar to Amazon Linux, SUSE Linux Enterprise, macOS and Home windows Server. It is also current inside some system pictures offered by third events on the AWS Market or developed by the neighborhood.
The highest profit for attackers is that the SSM agent is already whitelisted by many endpoint detection and response (EDR) or antivirus options which can be more likely to be deployed on an AWS-managed server. Zero out of 71 antivirus engines of VirusTotal flagged the binary as malicious.