Windows and Linux systems using Amazon’s cloud service are being targeted by a remote access trojan (RAT) capable of taking over the victim’s machine using the tech giant’s own management tool, a cybersecurity firm says.
Mitiga made the disclosure today after monitoring Amazon Web Services (AWS) to see how its defenses coped with the RAT.
What makes this particular attack vector so insidious is that no standalone malicious code is required — a threat actor can simply use AWS’s own system manager (SSM) against it.
“The SSM agent, a legitimate tool used by admins to manage their instances, can be repurposed by an attacker who has achieved high privilege access on an endpoint with [the] SSM agent installed, to carry out malicious activities on an ongoing basis,” said Mitiga.
Of course, what this does mean is that an attacker has to have gained access through a previous successful breach of the target’s defensive systems, so AWS users confident in theirs can perhaps breathe a little more easily.
But those who have been compromised may find their cloud-stored data is low-hanging fruit for an enterprising cybercriminal using this technique, which “allows an attacker who has compromised a machine, hosted on AWS or anywhere else, to maintain access to it and perform various malicious activities.”
Mitiga added that such misuse of AWS’s own SSM allows attackers to avoid being flagged by antivirus software, essentially using Amazon’s reputation and perceived legitimacy to cover their tracks.
Furthermore, attackers “can use their own malicious AWS account as a Command and Control (C&C) server, enabling them to control the compromised SSM agent.”
It added: “This allows their communication to appear legitimate, making it harder to detect their activities.”
This includes using SSM-supported features like RunCommand or StartSession to gain “effortless control over the compromised endpoint.”
In this sense, AWS is a victim of its own popularity, because of the widespread uptake of its features within its own vast ecosystem. “This prevalence increases the potential attack surface and provides a larger pool of potential targets for adversaries,” said Mitiga.
Both Linux and Windows users are vulnerable, and while Mitiga made no mention of macOS in this bulletin, other cybersecurity analysts have recently reported Apple’s increased vulnerability to cyberattacks.
“Linux and Windows machines that have an active SSM agent installed are susceptible to this post-exploitation persistence mechanism,” said Mitiga.
Cybersecurity professionals and other AWS users are urged to follow Mitiga’s recommended precautionary measures to reduce their susceptibility to attacks leveraging Amazon’s cloud SSM service.
“By understanding the risks and implementing proper security measures, businesses can fortify their defenses and protect their systems from this evolving threat,” said Mitiga.
Amazon subsequently reached out to Cybernews with a statement on the issue. "AWS software and systems are behaving as designed and there is no need for customers to take any action," said an AWS spokesperson. "The issues described in the Mitiga publication require an actor to both obtain root level credentials and successfully access an EC2 instance in order to be leveraged."
More from Cybernews:
Subscribe to our newsletter