Legitimate SSM agents can turn malicious when attackers with high-privilege access use it to carry out ongoing malicious activities on an endpoint.
Once compromised, the threat actors retain access to the compromised system, allowing ongoing illicit activities on AWS or other hosts.
Cybersecurity researchers at Mitiga recently discovered a new AWS post-exploitation technique.
With the help of this new technique, threat actors run SSM agents as RAT on systems that are based on Windows and Linux. While this enables them to control the endpoints through a separate AWS account.
Amazon-signed SSM is a complete management system for admins that gives them the ability to manage the following things:-
AWS Systems Manager Agent (SSM) is widely used and comes pre-installed on many AMIs, which makes it a potential attack surface for hackers on a large pool of AWS instances.
Mitiga finds SSM agent can run in “hybrid” mode within EC2 limits, and this enables access to two key elements via attacker-controlled AWS accounts:-
SSM hybrid mode configures an AWS account to manage diverse machines like:-
Bash commands enable SSM agents to execute in non-associated AWS accounts, and SSM’s proxy feature allows traffic to pass outside AWS infrastructure.
Moreover, the complete exploitation chain depends on two scenarios, and here below we have mentioned them:-
Here below, we have mentioned all the abilities:-
Here Below we have mentioned all the recommendations:-
Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.
The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…
IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…
Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…
A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s Black…
A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals and…
Cybersecurity researchers at Cofense Intelligence have identified a sophisticated phishing tactic leveraging Blob URIs (Uniform…