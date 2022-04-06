We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - August 3. Join AI and data leaders for insightful talks and exciting networking opportunities. Learn more about Transform 2022

Researchers at Cado Security say they’ve discovered the first publicly known malware specifically targeted at Amazon Web Services’ serverless computing platform, AWS Lambda — signaling a newly emerging cloud threat that businesses should become aware of.

“With serverless being a relatively new technology, it’s perhaps overlooked in terms of security measures,” said Matt Muir, one of the researchers at Cado Security who discovered the malware targeting AWS Lambda.

The researchers have dubbed the malware “Denonia” — the name of the domain that the attackers communicated with — and say that it was utilized to enable cryptocurrency mining.

But the arrival of malware targeting AWS Lambda suggests that cyberattacks against the service that bring greater damage are inevitable, as well.

Cado Security said it has reported its findings to AWS. VentureBeat has reached out to AWS for comment.

Detection lacking

Cado Security cofounder and CTO Chris Doman said that businesses should expect that serverless environments will follow a similar threat trajectory to that of container environments, which he noted are now commonly impacted by malware attacks.

Among other things, that means that threat detection in serverless environments will need to catch up, Doman said.

“The new way of running code in serverless environments requires new security tools, because the existing ones simply don’t have that visibility. They won’t see what’s going on,” Doman said. “It’s just so different.”

Cado Security, which offers a platform for investigation and response to cloud cyber incidents, does not itself offer detection tools for serverless environments.

Many organizations have likely had the perception that “just because something is serverless, that means it’s completely safe. But that isn’t the case,” Doman said. “If you can run code [on it] — particularly if it’s a popular service — then there’s probably an avenue for an attacker to get in.”

The Cado researchers have not pinpointed who may have been responsible for the Denonia malware, as the attackers left few clues behind. The attack leveraged uncommon techniques around address resolution to obfuscate domain names, making it easier for the malware to communicate with other servers while evading detection, according to the researchers.

This lack of clues and use of unusual techniques — on top of the fact that malware targeting AWS Lambda hasn’t been known to exist previously — suggests the threat actors behind the attack have been in possession of advanced knowledge, the Cado researchers said.

The attack also most likely involved a compromise of an AWS account, Muir said.

A bigger target

In addition to the growing popularity of AWS Lambda for running application code — without the need to provision or manage servers — there are other reasons that businesses can expect Lambda to be increasingly targeted by threat actors going forward.

The issue of misconfigurations that expose data in Amazon S3 buckets has gotten less severe in recent years, in part through warnings from AWS itself when a user is about to make this sort of mistake, Doman said. But that’s not the only way for a malicious actor to access an S3 bucket; the other way is to gain access via a service that connects to S3.

And it’s “very common” for Lambda to be given permissions to access S3 — suggesting that attackers may, in the future, attempt to use Lambda as an avenue into accessing S3 bucket data, Doman said. Such data often includes personally identifiable information (PII), such as credit card information, he said.

“If that was breached [via Lambda], then you could lose some very important data,” Doman said.