3

Our company is moving to the AWS cloud recently, and AWS relies a lot on the SSM agent, it is also opensource. ( https://github.com/aws/amazon-ssm-agent )

From my understanding, this agent is not signed when you deploy it on your machine. Cloudwatch / runcommand depend on this utility on the host.

If an attacker compiles his own SSM agent, and ping back the AWS server as normal. It seems like he can fly under the radar and do evil stuff without triggering any alarms.

Attack scenario :

  1. Gain access to the box,
  2. kill the original agent,
  3. start my malicious agent,
  4. start my bitcoin mining script.

Are there any ways to protect the agent?

  • If your attacker has gained access to the box in step one, why would steps two and three be necessary? – sarnold Jan 19 '19 at 03:00
  • @sarnold yea, thats a good question. If the agent is dead, aws will trigger alert, so what attacker wants is to prevent IR team going after them. By sending "green" traffic back, it can buy some time to run their mining script. –  Jan 19 '19 at 03:34

0 Answers0