Updated Aug. 4 with comment from Amazon 

A new report today from cloud incident response company Mitiga Security Inc. details a new potential post-exploitation technique involving Amazon Web Services Inc.’s System Manager agent.

The exploit involves the potential for the SSM agent to be used as a remote access trojan or RAT virus on both Linux and Windows machines, controlled via an attacker-owned AWS account. The researchers at Mitiga warn that the exploit could potentially be abused in real-world attacks.

AWS Systems Manager is a tool within Amazon’s suite that is designed to aid DevOps engineers in managing tasks such as patching operating systems across EC2 instances. SSM allows for the automation of these tasks and provides an integrated way to handle configuration management, patching and system monitoring.

The SSM Agent is a software component that can be installed on EC2 instances, on-premises servers or virtual machines. In AWS, SSM is often preinstalled on popular Amazon Machine Images, leading to a high possibility that many existing EC2 instances are running the SSM agent.

Although using the SSM service for malicious purposes isn’t new, Mitiga’s research involves a unique method to exploit the SSM service, allowing it to function as an integrated RAT. The method can lead to the endpoint’s agent communicating with a different AWS account, potentially owned by an attacker, rather than the original AWS account, making detection of malicious activity more challenging.

To perform an attack using the method detailed in the report, an attacker must have permission to execute commands on the Linux or Windows machine with an SSM Agent installed and running. After obtaining initial access to the machine, attackers can upload and install trojans or backdoors to maintain persistent access and gain control over the endpoint. With this access, attackers can then undertake activities such as data theft, encrypting the filesystem, misusing resources for cryptocurrency mining, or attempting to spread to other network endpoints.

Mitiga has shared its research with the AWS security team and incorporated some of its feedback into its report. For those concerned about potential infections, the report also details how to find out if a rogue agent is running and how to detect an attack involving the SSM agent communicating with a malicious AWS account.

Update: AWS has reached out to SiliconANGLE Media Inc. with the following comments on the post-exploitation technique:

“AWS software and systems are behaving as designed and there is no need for customers to take any action,” an Amazon spokesperson told SiliconANGLE. “The issues described in the Mitiga publication, titled ‘Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan,’ require an actor to both obtain root level credentials and successfully access an EC2 instance in order to be leveraged.”

The spokesperson added that “as a security best practice, we recommend AWS customers follow our documentation on properly configuring VPC Endpoints with AWS Systems Manager and to use global condition keys for VPC Endpoints and VPC Endpoint Policies to mitigate the risk of inappropriate access to EC2 instances.”

Image: AWS