We are excited to bring back Transform 2022 in person on July 19 and virtually July 20-28. Join AI and data leaders for insightful talks and exciting networking opportunities. Sign up today!
Research demonstrating the potential for malware to attack a serverless computing platform raises awareness of a potential avenue for cyber threat actors that many businesses hadn’t thought of before, security experts told VentureBeat.
On Wednesday, Fall Security — which offers a platform for investigation and response to cyber incidents in the cloud — launched a blog post with their findings on the new malware. Cado researchers named the malware “Denonia” after the domain the attackers communicated with, and said it was used to enable cryptocurrency mining through Amazon Web Services’ serverless platform, AWS Lambda.
In a statement, AWS said that “the software described by the researcher does not exploit any weaknesses in Lambda or any other AWS service.”
“The software relies entirely on fraudulently obtained account credentials,” AWS said, adding that “Denonia” does not actually constitute malware “because it lacks the ability to gain unauthorized access to any system on its own.”
‘Never a waste of time’
However, cybersecurity experts told VentureBeat that Cado’s research remains valuable to the security community.
“It’s never a waste of time to analyze what attackers are doing,” said John Bambenek, principal threat hunter at IT and security operations firm Netenrich. “If we don’t understand what criminals do, then cybersecurity is complete fiction.”
Major improvements in security can only be driven “if people raise awareness of the issues and work together to solve them,” said Casey Bisson, head of product and developer relations at code security solutions firm BluBracket.
“There is nothing in the report to suggest that the AWS infrastructure is vulnerable in a technical sense. But it’s a vulnerable target in a practical sense because resource monitoring and accountability is more difficult on Lambda than on virtual machines, and the tools to manage them are less mature,” Bisson said.
As a result, this would be a great opportunity for AWS to suggest that its customers implement certain Lambda policies, such as requiring code signing, as a way to ensure workloads running there are genuine, he said.
Ultimately, the value of Cado’s research is “to show what’s possible if a threat actor could get their code to run in a targeted Lambda environment,” even if the research doesn’t reveal any real exploits, Mike said. Parkin, Senior Technical Engineer at Cyber Vulcano.
“How would an attacker deploy [Denonia] it’s a completely separate question,” Parkin said.
Lambda is a popular AWS service for running application code without the need to provision or manage servers.
If nothing else emerges from Cado’s research report, it “highlights that simply using Amazon Lambda is not enough from a cybersecurity standpoint,” Bambenek said.
“If organizations are going to adopt a shared security model, it’s absolutely critical that they know exactly and precisely where the division of those responsibilities lies,” he said.
The shared responsibility model, a concept not unique to AWS, divides who is responsible for what when it comes to security in the public cloud. AWS summarizes its share of responsibility as the “security from the cloud,” including infrastructure such as computing, storage, and networking. Customers are responsible for everything else, that is, the “security on Cloud.”
But the line of where responsibilities are divided can become blurred in some cases, as in this case with Lambda, Bambenek said.
Who ensures what?
While AWS protects the Lambda environment itself, and the customer should know to protect their own account code and credentials, the question of how account takeovers are handled is not that straightforward, according to Bambenek.
AWS has indicated that this part is, in fact, the customer’s responsibility, but many customers think AWS should have controls around the account takeover issue, he said.
Regardless, “it’s probably a no-brainer” for AWS to provide detection and prevention around cryptomining in its own environments, Bambenek said.
In its statement, AWS noted that “the [Cado] the researchers even admit that this software does not access Lambda, and that when run outside of Lambda in a standard Linux server environment, the software works similarly.”
“It is also important to note that the researchers clearly state on their own blog that Lambda provides enhanced security over other computing environments on their own blog: ‘Under the AWS Shared Responsibility model, AWS secures the underlying Lambda runtime environment, but it’s up to the customer to secure the features themselves,’ and ‘the managed runtime environment reduces the attack surface compared to a more traditional server environment,’” AWS said in its statement.
The VentureBeat Mission is to be a digital public square for technical decision makers to learn about transformative business technology and transact. Learn more about membership.