Malicious Use of Ansible by Threat Actors
Background: Ansible is a legitimate tool used by specialists to manage environments at scale. However, threat actors can also abuse this tool to deploy malicious payloads or establish persistence. But before diving into ways it can be abused and spotted, let’s first understand, with a simple example, how this complex solution works.
Ansible components: Ansible consists of a control node and remote nodes. The control node is used to centralize management of the scaled environment. Remote nodes are the systems that Ansible manages and supports.
Ansible risk Ansible is managed through simple YAML files, which can be used to perform a wide range of tasks, including actions executed with root privileges. Example
---
- name: Basic Ansible test playbook
hosts: all
become: true
tasks:
- name: Print a message
ansible.builtin.debug:
msg: "Ansible is working"
- name: Show hostname
ansible.builtin.command: hostname
register: hostname_out
- name: Print hostname
ansible.builtin.debug:
var: hostname_out.stdout
- name: Ensure a file exists
ansible.builtin.file:
path: /tmp/ansible_test.txt
state: touch
mode: '0644'
```
Way of attacker can leverage it:
Playbook tampering
New malicious playbook creation
Monitor: If you have your own playbook repository, always monitor each change and its timestamp. For a local repository, check the file modification time. If version control is in place, monitor the integrity of the repository.
For any newly created playbook, always ensure that the necessary logging is enabled on the monitored machines.
Prevention: Restrict access to the folder where you store playbooks so that only authorized users or service accounts can access it. Never store plaintext values inside a playbook.
Conclusion: Ansible is a powerful solution for managing machines and can also be useful for incident response purposes. However, it can likewise be leveraged by threat actors to maintain persistence, deploy malware, manipulate backup recovery, and carry out other malicious activities.