Researchers have published a report about new potential post-exploitation techniques involving AWS System Manager agents.
The exploit involves the potential for the SSM agent to be used as a remote access trojan on both Linux and Windows machines, controlled via an attacker-owned AWS account. This exploit could potentially be abused in real-world attacks.
AWS Systems Manager is a tool within Amazon’s suite that is designed to aid DevOps engineers in managing tasks such as patching operating systems across EC2 instances. SSM that being installed oncthe EC2 Instances allows for the automation of these tasks and provides an integrated way to handle configuration management, patching, and system monitoring.
This technique involves a unique method to exploit the SSM service, allowing it to function as an integrated RAT. The method can lead to the endpoint’s agent communicating with a different AWS account, potentially owned by an attacker, rather than the original AWS account, making detection of malicious activity more challenging.
To perform an attack, an attacker must have permission to execute commands on the Linux or Windows machine with an SSM agent installed and running. After obtaining initial access to the machine, attackers can upload and install trojans or backdoors to maintain persistent access and gain control over the endpoint.
With this access, attackers can perform activities such as data theft, encrypting the filesystem, misusing resources for cryptocurrency mining, or attempting to spread to other network endpoints.
Researchers shared the findings with the AWS security team and incorporated some of its feedback into its report. For those concerned about potential infections, the report also details how to find out if a rogue agent is running and how to detect an attack involving the SSM agent communicating with a malicious AWS account.
This research was documented by researchers from Mitiga Security.