Cloud Security, Security Architecture

First malware targeting AWS Lambda serverless cloud environment discovered

Attendees walk through an expo hall during AWS re:Invent 2021, a conference hosted by Amazon Web Services, at The Venetian Las Vegas on Nov. 30, 2021, in Las Vegas. (Photo by Noah Berger/Getty Images for Amazon Web Services)

Researchers on Wednesday reported on the first publicly known case of malware specifically designed to execute in an AWS Lambda environment.

In a blog post, Cado researchers said the malware — Denonia — uses newer address resolutions techniques for command-and-control traffic to evade typical detection measures and virtual network access controls.

The researchers said while this first sample is innocuous in that it only runs crypto-mining software, it demonstrates how attackers can use advanced cloud-specific knowledge to exploit complex cloud infrastructure — and it’s indicative of potential attacks in the future.

Distribution of Denonia — named after the domain the attacks communicate with — has thus far been limited. The researchers added that while AWS takes care of the underlying environment under the AWS shared responsibility model, it’s up to each company to secure the actual functions.

 While the shared responsibility model sounds great as an abstract notion, it’s clear that the security implications of new computing paradigms like Lambda functions are simply not well understood by many organizations which use them, said Oliver Tavakoli, CTO at Vectra.

“It’s the responsibility of the cloud service providers to educate their customers on these implications and to choose defaults which increase the likelihood of secure deployments over those which reduce deployment friction while exposing customers to poorly understood risks,” Tavakoli said.

Casey Bisson, head of product and developer relations at BluBracket, said while cloud infrastructure has empowered companies to innovate and scale at a previously impossible pace, that doesn’t change the fundamental security challenges or responsibilities for infrastructure customers.

Bission said DevOps automation has advanced rapidly over the past decade, but implementation of security automation has lagged at most companies. While the report isn’t clear about the attack vector, Bisson said monitoring and automated secret management — especially for cloud access credentials — will help customers protect themselves against cloud infrastructure attacks.

“Cloud credential theft is common, supporting the report’s hypothesis about the attack vector,” Bisson said. “A secret in code is a secret shared, and we recommend early, often and automated scanning of code to help developers identify and remove secrets that might be misused like this.”

John Bambenek, principal threat hunter at Netenrich, added that this incident exposes a blurry DMZ of the shared responsibility model. While Amazon secures the Lambda environment and the customer secures their code and account credentials, Bambenek said the question remains: how are account takeovers handled?

“Amazon believes that’s the customer responsibility, while many organizations believe Amazon should have some checks in place,” Bambenek said. “Either way, it’s probably a no-brainer for Amazon to simply detect and prevent cryptocurrency mining in their environment, except for those instances specifically designed for it.”

Updated April 7 with comments from an AWS spokesperson:

“Lambda is secure by default, and AWS continues to operate as designed. Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments. That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services.”

“The software described by the researcher does not exploit any weakness in Lambda or any other AWS service. Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself. What’s more, the researchers even admit that this software does not access Lambda —and that when run outside of Lambda in a standard Linux server environment, the software performed similarly. It is also important to note that the researchers clearly say in their own blog that Lambda provides enhanced security over other compute environments in their own blog: ‘under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves’ and ‘the managed runtime environment reduces the attack surface compared to a more traditional server environment.’”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.