The first publicly-known vulnerability attacking serverless computing platform AWS Lambda has been found.
Serverless computing has simplified the process of deploying code and lowered the provision developers need to be able to launch, but with it comes new security vulnerabilities that are just starting to be detected by security teams.
A recently published blogpost detailed the first publicly-known case of malware built and executed in an AWS Lambda environment. It codenamed the malware Denonia, named after the domain the attackers used to communicate with the malware.
The malware was only designed to run crypto-mining software for the XMR coin, but Cado Security anticipates that there may be more severe use cases that attackers will exploit in the near future. It also noted that Denonia distribution was limited, and that it wasn’t clear how the attacker managed to execute the malware on Lambda.
“Organizations – both large and small – are increasingly leveraging Lambda serverless functions,” said Matt Muir, security researcher at Cado Security. “From a business agility perspective, serverless has significant benefits. Lambda also brings security benefits – the managed runtime environment reduces the attack surface compared to a more traditional server environment. However, short runtime durations, the sheer volume of executions, and the dynamic and ephemeral nature of Lambda functions can make it difficult to detect, investigate and respond to a potential compromise.”
Attackers are also reportedly using Google’s Go programming language to further avoid detection, due to the cross-compatible executables and the fact that statistically-linked binaries are harder for malware researchers to detect than dynamically-linked equivalents.
As mentioned previously, Lambda already has security benefits built into the platform, but AWS Shared Responsibility model assigns the responsibility to the customer to secure functions.
To that end, businesses may look to modern security applications that are built for cloud-native platforms to reduce the threats that Lambda and other serverless computing platforms are likely to face in the next few years.
Modern security applications offer end-to-end, real-time analytics on a businesses data and telemetry, which provides business leaders with a clearer picture of the situation and the ability to make better decisions and reduce uncertainty.
“In the case of Denonia, its payload was designed to monetize the attack by using infected resources to run cryptomining software, sometimes referred to as crypto-jacking,” said Chas Clawson, CTO of security solutions at Sumo Logic. “But the damage could be much more serious. Organizations should ask themselves if their AWS credentials or keys were stolen, how long would it take them to identify indicators of compromise? Is there sufficient visibility into cloud services and the network traffic they generate, such as communication with the Monero server as in Denonia’s case? Would a spike in CPU and memory usage be noticed by the development team or would those outliers be lost in the metric noise? How many tools would be needed to tie together application tracing data, metric data, log data and security signals? This correlation on its own often takes time, costs money and reduces cyber resiliency.”