First malware targeting AWS Lambda serverless platform disclosed

Researchers at Cado Security say they’ve discovered the first publicly known malware specifically targeted at Amazon Web Services’ serverless computing platform, AWS Lambda — signaling a newly emerging cloud threat that businesses should become aware of.

“With serverless being a relatively new technology, it’s perhaps overlooked in terms of security measures,” said Matt Muir, one of the researchers at Cado Security who discovered the malware targeting AWS Lambda.

The researchers have dubbed the malware “Denonia” — the name of the domain that the attackers communicated with — and say that it was utilized to enable cryptocurrency mining.

But the arrival of malware targeting AWS Lambda suggests that cyberattacks against the service that bring greater damage are inevitable, as well.

Cado Security said it has reported its findings to AWS. In a statement in response to an inquiry about the reported malware discovery, AWS said that “Lambda is secure by default, and AWS continues to operate as designed.”

“Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments,” AWS said in the statement — adding that the company’s acceptable use policy prohibits the violation of the security of any of its systems.

Detection lacking

Cado Security cofounder and CTO Chris Doman said that businesses should expect that serverless environments will follow a similar threat trajectory to that of container environments, which he noted are now commonly impacted by malware attacks.

Among other things, that means that threat detection in serverless environments will need to catch up, Doman said.

“The new way of running code in serverless environments requires new security tools, because the existing ones simply don’t have that visibility. They won’t see what’s going on,” Doman said. “It’s just so different.”

Cado Security, which offers a platform for investigation and response to cloud cyber incidents, does not itself offer detection tools for serverless environments.

Many organizations have likely had the perception that “just because something is serverless, that means it’s completely safe. But that isn’t the case,” Doman said. “If you can run code [on it] — particularly if it’s a popular service — then there’s probably an avenue for an attacker to get in.”

The Cado researchers have not pinpointed who may have been responsible for the Denonia malware, as the attackers left few clues behind. The attack leveraged uncommon techniques around address resolution to obfuscate domain names, making it easier for the malware to communicate with other servers while evading detection, according to the researchers.

This lack of clues and use of unusual techniques — on top of the fact that malware targeting AWS Lambda hasn’t been known to exist previously — suggest the threat actors behind the attack are in possession of advanced knowledge, the Cado researchers said.

The attack also most likely involved a compromise of an AWS account, Muir said.

A bigger target

In addition to the growing popularity of AWS Lambda for running application code — without the need to provision or manage servers — there are other reasons that businesses can expect Lambda to be increasingly targeted by threat actors going forward.

The issue of misconfigurations that expose data in Amazon S3 buckets has gotten less severe in recent years, in part through warnings from AWS itself when a user is about to make this sort of mistake, Doman said. But that’s not the only way for a malicious actor to access an S3 bucket; the other way is to gain access via a service that connects to S3.

And it’s “very common” for Lambda to be given permissions to access S3 — suggesting that attackers may, in the future, attempt to use Lambda as an avenue into accessing S3 bucket data, Doman said. Such data often includes personally identifiable information (PII), such as credit card information, he said.

“If that was breached [via Lambda], then you could lose some very important data,” Doman said.

Update: In a second statement provided to VentureBeat, AWS said that “the software described by the researcher does not exploit any weakness in Lambda or any other AWS service.”

“The software relies entirely on fraudulently obtained account credentials,” AWS said — adding that “Denonia” does not really constitute malware “because it lacks the ability to gain unauthorized access to any system by itself.”

“What’s more, the researchers even admit that this software does not access Lambda — and that when run outside of Lambda in a standard Linux server environment, the software performed similarly,” AWS said in the statement. “It is also important to note that the researchers clearly say in their own blog that Lambda provides enhanced security over other compute environments in their own blog: ‘under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves’ and ‘the managed runtime environment reduces the attack surface compared to a more traditional server environment.’”