For many years now, attackers have pivoted from using primarily custom automated malware to attacks that involve hands-on hacking through utilities that already exist on computers. Known as living of the land, this approach also extends to cloud infrastructure by leveraging services and tools cloud providers make available as part of their ecosystem.
Researchers from incident response firm Mitiga recently showed how the AWS Systems Manager (SSM) agent could be hijacked by attackers and turned into a remote access trojan (RAT). The SSM agent is a tool that AWS customers can deploy on EC2 instances, on-premises servers, as well as virtual machines in other clouds to enable their remote management and monitoring through the AWS-native Systems Manager service.
“The concept is straightforward: when an attacker successfully gains initial execution on an endpoint that already has an installed SSM agent, rather than uploading a separate commercial or internally developed backdoor or RAT, they can exploit the existing SSM agent to control the endpoint, effectively turning it into a RAT itself,” the Mitiga researchers said in their report.
“By executing commands from a separate, maliciously owned AWS account, the actions carried out by the SSM agent will remain hidden within the original AWS account, leaving no trace of the intrusion.”
The advantages of hijacking an SSM agent
The SSM agent is a powerful tool that allows remote execution of commands and gathering of data about the machine, much as a trojan program would. The difference is that the SSM agent is open source, is developed and digitally signed by Amazon, and is preinstalled on many Amazon Machine Images (AMIs) that customers can deploy on their EC2 instances such as Amazon Linux, SUSE Linux Enterprise, macOS and Windows Server. It’s also present inside some system images provided by third parties on the AWS Marketplace or developed by the community.
The top benefit for attackers is that the SSM agent is already whitelisted by many endpoint detection and response (EDR) or antivirus solutions that are likely to be deployed on an AWS-managed server. Zero out of 71 antivirus engines of VirusTotal flagged the binary as malicious.