Monday, May 12, 2025
HomeCyber Security NewsHackers Abuse AWS SSM Agent to Perform Various Malicious Activities

Hackers Abuse AWS SSM Agent to Perform Various Malicious Activities

Published on

SIEM as a Service

Follow Us on Google News

Legitimate SSM agents can turn malicious when attackers with high-privilege access use it to carry out ongoing malicious activities on an endpoint.

Once compromised, the threat actors retain access to the compromised system, allowing ongoing illicit activities on AWS or other hosts.

Cybersecurity researchers at Mitiga recently discovered a new AWS post-exploitation technique. 

- Advertisement - Google News

With the help of this new technique, threat actors run SSM agents as RAT on systems that are based on Windows and Linux. While this enables them to control the endpoints through a separate AWS account.

Abusing AWS SSM Agent

Amazon-signed SSM is a complete management system for admins that gives them the ability to manage the following things:-

AWS Systems Manager Agent (SSM) is widely used and comes pre-installed on many AMIs, which makes it a potential attack surface for hackers on a large pool of AWS instances.

Mitiga finds SSM agent can run in “hybrid” mode within EC2 limits, and this enables access to two key elements via attacker-controlled AWS accounts:-

  • Assets
  • Servers

SSM hybrid mode configures an AWS account to manage diverse machines like:-

  • Non-EC2
  • On-premise servers
  • AWS IoT devices
  • VMs across other cloud environments

Bash commands enable SSM agents to execute in non-associated AWS accounts, and SSM’s proxy feature allows traffic to pass outside AWS infrastructure.

Moreover, the complete exploitation chain depends on two scenarios, and here below we have mentioned them:-

  • Scenario 1: Hijacking the SSM agent
  • Scenario 2: Running Another SSM Agent Process

Abilities unlocked using the SSM Agent as a RAT

Here below, we have mentioned all the abilities:-

  • The SSM agent is signed by Amazon, so it’s initially trusted by Antivirus and Endpoint Detection & Response solutions.
  • Attackers don’t need to upload new RAT binaries since the SSM agent is already installed on the endpoint, avoiding AV and EDR products’ detection.
  • Threat actors can use their malicious AWS account as a C&C server which enables them to control the compromised SSM agent that makes their communication appear legitimate.
  • Attackers don’t need additional code for the attack infrastructure, as they rely solely on the SSM service and agent.
  • The SSM agent supports features like “RunCommand” and “StartSession,” giving attackers effortless control over the compromised endpoint from their AWS account, allowing them to manipulate it in various ways.
  • The SSM agent’s widespread installation in default AMIs within AWS increases the potential attack surface, providing more targets for threat actors.

Recommendations

Here Below we have mentioned all the recommendations:-

  • Reconsider adding SSM agent to AV or EDR allow list for security reasons.
  • To detect and respond to this malicious action effectively, make sure to integrate the detection techniques into your SIEM and SOAR platforms.
  • AWS security team suggests using the VPC endpoint for the Systems Manager to restrict command receipt from the original AWS account/organization.
  • Make sure to configure the System Manager service through a VPC endpoint.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...