Then, the SSM Agent will communicate and execute commands from attacker the owned AWS account,” they explained. “, the attack is ‘hijacking’ the original SSM Agent process by registering the SSM Agent to work in ‘hybrid’ mode with a different AWS account, enforcing it to not choose the metadata server for identity consumption. In the first scenario, the threat actor requires root access on targeted Linux machine or administrator privileges on the targeted Windows system, while in the second they must be able run as at least non-root privileged user on the targeted Linux machine or as administrator on the targeted Windows system. The researchers have tried out two different scenarios, and the level access required for both is high. “After controlling the SSM Agent, the attackers can carry out malicious activities, such as data theft, encrypting the filesystem (as a ransomware), misusing endpoint resources for cryptocurrency mining and attempting to propagate to other endpoints withing the network – all under the guise of using a legitimate software, the SSM Agent,” Mitiga researchers Ariel Szarf and Or Aspir explained. The presence of the SSM Agent, a software component that enterprise sysadmins use to manage the endpoints from the AWS account using the AWS System Manager service.Attackers gaining initial access to the machine (e.g., by exploiting an unpatched vulnerability on a public-facing instance/server), and.The success of this “ living off the land” technique hinges on: Mitiga researchers have documented a new post-exploitation technique attackers can use to gain persistent remote access to AWS Elastic Compute Cloud (EC2) instances (virtual servers), as well as to non-EC2 machines (e.g., on-premises enterprise servers and virtual machines, and VMs in other cloud environments).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |