New post-exploitation technique in Amazon Web Services.

Mitiga has published a report looking at a new potential post-exploitation technique in AWS. The technique involves “running AWS’s Systems Manager (SSM) agent as a Remote Access Trojan (RAT) on both Linux and Windows machines, controlling the endpoint using another AWS account.”

Abuse of a legitimate tool.

The researchers write, “[T]he SSM agent, a legitimate tool used by admins to manage their instances, can be re-purposed by an attacker who has achieved high privilege access on an endpoint with SSM agent installed, to carry out malicious activities on an ongoing basis. This allows an attacker who has compromised a machine, hosted on AWS or anywhere else, to maintain access to it and perform various malicious activities. Unlike using common malware types, which are often flagged by antivirus software, using [an] SSM agent in this malicious manner allows the attacker to benefit from the reputation and legitimacy of this binary to cover his tracks.”

Suggested defenses against AWS post-exploitation activity.

Mitiga offers the following recommendations to defend against this technique:

1. “If the SSM agent was added to the allow list in your AV or EDR solutions, it is strongly recommended to reconsider this decision. Given the potential compromise of the SSM agent as discussed, relying solely on the allow list is no longer reliable. Therefore, it is advisable to remove the SSM binaries from the allow list. By doing so, you enable your EDR solution to thoroughly examine and analyze the behavior of these processes, actively searching for any indications of malicious activity or suspicious anomaly.
2. “To effectively detect and respond to this malicious action, we recommend following the detection techniques mentioned earlier and integrating them into your SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) platforms. By implementing these detections, you enhance your capabilities to proactively hunt for and identify instances of this threat.
3. “AWS security team offered a solution to restrict the receipt of commands from the original AWS account/organization using the VPC (Virtual Private Cloud) endpoint for Systems Manager (https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html). If your EC2 instances are in a private subnet without access to the public network via a public EIP address or NAT gateway, you can still configure the System Manager service through a VPC endpoint. By doing so, you can ensure that the EC2 instances only respond to commands originating from principals within their original AWS account or organization. To implement this restriction effectively, refer to the VPC Endpoint policy documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html).”

(Added, 12:30 PM ET, August 3rd, 2023.) Alastair Williams, Vice President of Worldwide Systems Engineering at Skybox Security, agrees that a proactive approach to this potential attack vector is warranted. "The new post-exploitation technique identified in Amazon Web Services (AWS) enables hackers to utilize the System Management (SSM) agent as a hidden Remote Access Trojan (RAT). This technique can affect both Windows and Linux machines and offers advantages over traditional malware and backdoors, as it is less likely to be detected by security software," Williams explained. "To safeguard against these attacks, organizations should implement a proactive approach that includes a comprehensive assessment of potential threats. Instead of relying on costly and time-consuming reactive measures, organizations should prioritize strengthening their vulnerability management program to swiftly address potential exposures before they can be exploited. Organizations should also have a solution in place that expresses cyber and operational risks in monetary terms, taking the potential economic impact of asset loss and the probability of loss events into account."