Wednesday’s report by researchers reveals the first case of malware known to have been specifically created for execution in an AWS Lambda environment.
In a blog postCado researchers discovered that Denonia malware uses newer address resolutions techniques to control command-and-control traffic. This allows it to evade traditional detection measures and virtual network access controls.
Researchers stated that while the first sample is not malicious as it only runs crypto-mining program, it shows how attackers can exploit complex cloud infrastructure using advanced cloud-specific knowledge. This information could be indicative of future attacks.
Distribution of Denonia named after a domain that the attacks communicate with has so far been restricted. Researchers stated that AWS provides the environment, but it is up to the companies to protect the actual functions.
While the shared responsibility model sounds great as an abstract notion, its clear that the security implications of new computing paradigms like Lambda functions are simply not well understood by many organizations which use them, said Oliver Tavakoli, CTO at Vectra.
Tavakoli said that cloud service providers must educate customers about these implications, and to choose defaults that increase the likelihood of secure deployments rather than those which reduce deployment friction and expose customers to poorly understood risk.
BluBracket’s head of product and development relations, Casey Bisson, stated that while cloud infrastructure has allowed companies to innovate and scale at an previously impossible pace, it doesn’t change the fundamental security challenges and responsibilities for customers of infrastructure.
Bission stated that DevOps automation has made rapid progress over the past decade, however, security automation implementations have slowed down at most companies. Although the attack vector is not clear, Bisson stated that monitoring and automated secret managing cloud access credentials will help customers protect against attacks on cloud infrastructure.
Cloud credential theft is a common problem, which supports the report hypothesis about the attack vector, Bisson stated. Secrets in code are secrets shared. We recommend developers scan code early and often to identify and remove potential misused secrets.
John Bambenek, principal threat hunters at Netenrich, said that this incident exposes a blurry DMZ for the shared responsibility model. While Amazon protects the Lambda environment, and the customer secures their code as well as their account credentials, Bambenek asked the question: How are account takeovers handled.
Amazon believes that customers are responsible, but many organizations believe Amazon should have certain checks in place. Amazon should be able to detect and stop cryptocurrency mining in their environment.