First malware targeting AWS Lambda serverless platform disclosed

We’re excited to bring back Transform 2022 in person on July 19 and virtually July 20-28. Join AI and data leaders for insightful talks and exciting networking opportunities. Sign up today!


Researchers at Cado Security say they have discovered the first publicly known malware specifically targeting Amazon Web Services’ serverless computing platform, AWS Lambda, signaling a new emerging cloud threat that businesses need to be aware of.

“Since serverless technology is relatively new, it may be overlooked in terms of security measures,” said Matt Muir, one of the Cado Security researchers who discovered the malware targeting AWS Lambda.

The researchers named the malware “Denonia,” the name of the domain the attackers communicated with, and say it was used to enable cryptocurrency mining.

But the arrival of malware targeting AWS Lambda suggests that cyberattacks against the service causing further damage are also inevitable.

Cado Security said it has reported its findings to AWS. In a statement in response to a query about the reported malware discovery, AWS said “Lambda is secure by default and AWS continues to function as designed.”

“Customers can run a variety of applications on Lambda, and this is indistinguishable from discovering the ability to run similar software in other on-premises or cloud computing environments,” AWS said in the statement, adding that the acceptable use policy of the company prohibits the violation of the security of any of its systems.

lack of detection

Cado Security co-founder and CTO Chris Doman said that companies should expect serverless environments to follow a similar threat trajectory as container environments, which he noted are now commonly affected by malware attacks.

Among other things, that means threat detection in serverless environments will need to catch up, Doman said.

“The new way of executing code in serverless environments requires new security tools, because the existing ones just don’t have that visibility. They won’t see what’s going on,” Doman said. “It is so different”.

Cado Security, which offers a platform to investigate and respond to cyber incidents in the cloud, does not offer detection tools for serverless environments.

Many organizations have probably had the perception that “because something is serverless, it means it’s completely secure. But that’s not the case,” Doman said. “If you can run code [on it] — particularly if it’s a popular service — then there’s probably a path for an attacker to get in.”

Cado researchers have not identified who may have been responsible for the Denonia malware, as few leads were left behind by the attackers. The attack leveraged unusual techniques around address resolution to obfuscate domain names, making it easier for the malware to communicate with other servers while evading detection, according to the researchers.

This lack of clues and the use of unusual techniques, in addition to the fact that malware targeting AWS Lambda was not previously known to exist, suggests that the threat actors behind the attack possess advanced knowledge, the Cado researchers said.

The attack likely also involved the compromise of an AWS account, Muir said.

a bigger goal

In addition to the growing popularity of AWS Lambda for running application code, without the need to provision or manage servers, there are other reasons why companies can expect Lambda to be increasingly targeted by threat actors in the future. .

The problem of misconfigurations exposing data in Amazon S3 buckets has become less serious in recent years, in part due to warnings from AWS when a user is about to make this kind of mistake, Doman said. But that’s not the only way a malicious actor can access an S3 bucket; the other way is to get access through a service that connects to S3.

And it’s “very common” for Lambda to be granted permissions to access S3, suggesting that attackers may, in the future, try to use Lambda as a pathway to access data in the S3 bucket, Doman said. Such data often includes personally identifiable information (PII), such as credit card information, he said.

“If that was violated [via Lambda]then you could lose some very important data,” Doman said.

The VentureBeat Mission is to be a digital public square for technical decision makers to learn about transformative business technology and transact. Learn more about membership.

Leave a Comment