We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Research demonstrating the potential for malware to target a serverless computing platform raises awareness about a possible avenue for cyber threat actors that many businesses have not thought about before, security experts told VentureBeat.
On Wednesday, Cado Security — which offers a platform for investigation and response to cloud cyber incidents — released a blog post with its findings on the new malware. The Cado researchers named the malware “Denonia” after the domain that the attackers communicated with, and said that it was utilized to enable cryptocurrency mining via Amazon Web Services’ serverless platform, AWS Lambda.
In a statement, AWS said that “the software described by the researcher does not exploit any weakness in Lambda or any other AWS service.”
“The software relies entirely on fraudulently obtained account credentials,” AWS said — adding that “Denonia” does not really constitute malware “because it lacks the ability to gain unauthorized access to any system by itself.”
‘Never a waste of time’
Cybersecurity experts, however, told VentureBeat that the Cado research is still valuable for the security community.
“It is never a waste of time to analyze what attackers are doing,” said John Bambenek, principal threat hunter at IT and security operations firm Netenrich. “If we don’t understand what criminals are up to, then cybersecurity is complete fiction.”
Major improvements in security can only be driven “if people raise awareness around issues and work to solve them together,” said Casey Bisson, head of product and developer relations at code security solutions firm BluBracket.
“There’s nothing in the report to suggest AWS’ infrastructure is vulnerable in a technical sense. But it’s a vulnerable target in a practical sense because monitoring and accountability for resources is more difficult on Lambda than for virtual machines, and the tools to manage them are less mature,” Bisson said.
As a result, this would be a great opportunity for AWS to suggest that its customers enact certain Lambda policies — such as requiring signed code — as a way to ensure the workloads running there are genuine, he said.
Ultimately, the value in the Cado research is “in showing what’s possible if a threat actor could get their code to execute in a target Lambda environment” — even if the research does not reveal any actual exploit, said Mike Parkin, senior technical engineer at Vulcan Cyber.
“How an attacker would deploy [Denonia] is an entirely separate question,” Parkin said.
Lambda is a popular AWS service for running application code without the need to provision or manage servers.
If nothing else comes from the Cado research report, “it’s highlighting that simply using Amazon Lambda is not sufficient from a cybersecurity standpoint,” Bambenek said.
“It is absolutely critical if organizations are going to adopt a shared security model, that they know exactly and precisely where the division in those responsibilities lie,” he said.
The shared responsibility model — a concept that is not unique to AWS — divvies up who is responsible for what when it comes to security in public cloud. AWS summarizes its share of the responsibility as the “security of the cloud,” including the infrastructure such as compute, storage and networking. Customers are responsible for everything else — i.e., the “security in the cloud.”
But the line of where the responsibilities are split up can get blurry in some instances, such as in this case with Lambda, Bambenek said.
Who secures what?
While AWS secures the Lambda environment itself — and the customer should know they must secure their own account credentials and code — the issue of how account takeovers are handled is not as straightforward, according to Bambenek.
AWS has indicated that this part is in fact the responsibility of the customer, but many customers think that AWS ought to have checks in place around the account takeover issue, he said.
Regardless, it’s “probably a no-brainer” for AWS to provide detection and prevention around crypto mining in their own environments, Bambenek said.
In its statement, AWS noted that “the [Cado] researchers even admit that this software does not access Lambda — and that when run outside of Lambda in a standard Linux server environment, the software performed similarly.”
“It is also important to note that the researchers clearly say in their own blog that Lambda provides enhanced security over other compute environments in their own blog: ‘under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves’ and ‘the managed runtime environment reduces the attack surface compared to a more traditional server environment,’” AWS said in its statement.