Threat Actors Use AWS SSM Agent as a Remote Access Trojan

Threat actors have been observed using Amazon Web Services (AWS) 's System Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines.

According to a new security report published by Mitiga today, the post-exploitation technique allows attackers to control the agent using a separate, maliciously owned AWS account, potentially enabling them to conduct various malicious activities.

AWS Systems Manager is a powerful tool designed to automate operational tasks and manage AWS resources. The SSM agent is a component that facilitates communication between the Systems Manager service and EC2 (Elastic Compute Cloud) instances or on-premises servers.

In its report, Mitiga researchers Ariel Szarf and Or Aspir said that the popularity and trust associated with the SSM agent had led attackers to misuse it for their benefit.

Since Amazon signs the SSM agent binary, it often bypasses traditional antivirus and endpoint detection systems, making it harder to detect malicious activities.

Moreover, attackers can control the agent from their AWS accounts, making the communication appear legitimate, further evading detection.

Mitiga’s research demonstrated two potential attack scenarios. The first scenario involves hijacking the original SSM agent process and registering it with a different AWS account. The attackers then gain complete control over the compromised endpoint, with the agent functioning as a legitimate SSM agent.

The second scenario involves running a separate SSM agent process, allowing the attacker to manipulate the endpoint while the original agent continues to function normally.

Mitiga has shared its research and findings with the AWS security team. They also offered recommendations for mitigating this threat, including reconsidering the SSM agent’s inclusion on allow lists in AV or EDR solutions and implementing detection techniques to identify instances of this threat proactively.

Editorial image credit: Tada Images / Shutterstock.com

Threat Actors Use AWS SSM Agent as a Remote Access Trojan

Alessandro Mascellino

You may also like

New Post-Exploitation Attack Method Found Affecting Okta Passwords

LeakyCLI Flaw Exposes AWS and Google Cloud Credentials

Capital One Fined $80m for 2019 Breach

RATs Spread Via Fake Skype, Zoom, Google Meet Sites

Python-Based Tool FBot Disrupts Cloud Security

What’s hot on Infosecurity Magazine?

Fifth of CISOs Admit Staff Leaked Data Via GenAI

State-Sponsored Espionage Campaign Exploits Cisco Vulnerabilities

BEC and Fund Transfer Fraud Top Insurance Claims

Online Banking Security Still Not Up to Par, Says Which?

How to Open and View OST Files Without Outlook

How to Backup and Restore Database in SQL Server

Alarming Decline in Cybersecurity Job Postings in the US

North Korean Group Kimsuky Exploits DMARC and Web Beacons

Russian Sandworm Group Hit 20 Ukrainian Energy and Water Sites

Dependency Confusion Vulnerability Found in Apache Project

How to Navigate the Risks of Generative AI

Hope Revived for UN Cybercrime Treaty as Negotiations Set to Resume

Incident Response: Four Key Cybersecurity Measures to Protect Your Business

Disinformation Defense: Protecting Businesses from the New Wave of AI-Powered Cyber Threats

Is MFA Enough? Strategies for Next-Level Identity Security in 2024

Navigating the Evolving Cybersecurity Compliance Landscape in 2024

Adapting to Tomorrow's Threat Landscape: AI's Role in Cybersecurity and Security Operations in 2024

Securing APIs in the Cloud Frontier

Infosecurity Magazine Spring Online Summit 2024: Day One

Infosecurity Magazine Spring Online Summit 2024: Day Two

Russia’s Midnight Blizzard Accesses Microsoft Source Code

I-Soon GitHub Leak: What Cyber Experts Learned About Chinese Cyber Espionage

LockBit Takedown: What You Need to Know about Operation Cronos

Women in Cybersecurity at Infosecurity Europe 2024

Threat Actors Use AWS SSM Agent as a Remote Access Trojan

Written by

You may also like

What’s hot on Infosecurity Magazine?