In a report recently published by security firm Mitiga, new possibilities for post-exploitation activity in attacks against Amazon Web Services (AWS) have been revealed. The technique involves using AWS’s Systems Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines, allowing attackers to maintain access to compromised endpoints and carry out various malicious activities.

The SSM agent is a legitimate tool used by administrators to manage their instances on AWS. However, when an attacker gains high privileged access to an endpoint with the SSM agent installed, they can repurpose it for malicious purposes. Unlike traditional malware, which can be easily detected by antivirus software, using the SSM agent in this manner allows the attacker to exploit its reputation and legitimacy to cover their tracks.

Mitiga recommends several defenses against this new post-exploitation technique. First, it advises reconsidering the decision to add the SSM agent to the allow list in antivirus (AV) or endpoint detection and response (EDR) solutions. Relying solely on the allow list is no longer reliable, and instead, the SSM binaries should be removed to enable thorough examination and analysis of their behavior for any signs of malicious activity.

The report also suggests integrating detection techniques into security information and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. This proactive approach enhances the capability to hunt for and identify instances of this threat.

Furthermore, the AWS security team provides a solution to restrict the receipt of commands from the original AWS account/organization using the Virtual Private Cloud (VPC) endpoint for Systems Manager. By configuring the System Manager service through a VPC endpoint, EC2 instances only respond to commands originating from principals within their original AWS account or organization.

Alastair Williams, Vice President of Worldwide Systems Engineering at Skybox Security, agrees with the need for a proactive approach to this potential attack vector. Williams emphasizes the importance of a comprehensive assessment of potential threats to safeguard against these attacks. Organizations should prioritize strengthening their vulnerability management programs to address potential exposures swiftly before they can be exploited.

Rather than relying on reactive measures, it is crucial to implement proactive solutions that can anticipate and mitigate cyber risks. Having a solution in place that evaluates the economic impact of asset loss and the probability of loss events can help organizations make informed decisions and effectively allocate resources to protect their AWS infrastructure.

The discovery of this new post-exploitation technique in AWS serves as a reminder that attackers constantly adapt and find ways to exploit even the most legitimate tools and platforms. As the cybersecurity landscape continues to evolve, organizations must remain vigilant and stay updated on emerging threats to ensure the security of their cloud environments.

Source link