Hackers are always at the forefront of technology and do not miss an opportunity to attack the latest services including in the cloud. Cado Security researchers have found a cryptominer, capable of operating inside AWS Lambda. This so-called serverless offer executes functions and manages the automatic allocation of resources to run an application.
“Even though this first sample is fairly innocuous, as it only runs cryptocurrency mining software, it shows how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and it’s telling. potential future more deadly attacks,” the researchers said in their report.
Malware written in Go
Called Denonia, this malicious program written in Go comes as a 64-bit ELF executable for Linux. As of now, experts don’t have information on how the malware was distributed, but they believe the perpetrators may have compromised AWS credentials and secret keys. Malware written in the Go language is not new and has even proliferated in recent years, as it offers attackers an easy way to make their malware cross-platform and self-contained. The disadvantage is that binary files are much larger since they must contain all the libraries the program needs, instead of being dynamically linked to libraries already existing on an operating system.
The Go language also makes it easier to deploy their code on serverless solutions, as they support code in multiple languages. AWS Lambda natively supports Java, Go, PowerShell, Node.js, C#, Python, and Ruby. Compared to the traditional cloud where users rent virtual machines that they must manage, along with their operating systems, Lambda and other similar offerings allow users to deploy code written in different languages, run on demand, based on events, without having to worry about managing the underlying IT infrastructure, such as servers and operating systems.
According to the researchers, Denonia was clearly developed for Lambda, as it includes open-source third-party Go libraries. aws-sdk-go and aws-lambda-go created by the cloud provider itself to interact with the platform. Additionally, while running, the malware checks for the presence of specific Lambda environment variables, such as LAMBDA_SERVER_PORT and AWS_LAMBDA_RUNTIME_API. “Despite the presence of these variables, we discovered during dynamic analysis that the sample will happily continue to run outside of a Lambda environment (i.e. on a regular Amazon Linux box),” said the Cado Security researchers. “We think it’s probably related to the fact that ‘serverless’ Lambda environments use Linux under the hood, so the malware thought it was running in Lambda (after we manually set the required environment variables ) while running in our sandbox”.
Detection made difficult with the DoH
The malware conceals command and control traffic in DNS queries made to an attacker-controlled domain and hides those queries using DNS-over-HTTPS (DoH). DoH encrypts the contents of DNS queries, so a traffic inspection mechanism will only see queries destined for HTTPS DNS resolvers like cloudflare-dns.com or dns.google.com and not the actual query contents. This mode of operation makes it harder to detect Denonia and offers attackers the ability to bypass Lambda environment settings that could prohibit traditional DNS traffic on port 53. The malware is essentially a wrapper for XMRig, a mining program from open source cryptocurrency often adopted by malware writers. This isn’t the first time Lambda customers have been targeted with XMRig. But until then, attackers used simpler scripts rather than complex malware like Dedonia. Cado researchers note that while the malware they analyzed is from February, they found an older one created in January on VirusTotal. These attacks have therefore been ongoing for several months.
Serverless platforms like Lambda are a great resource for small businesses that don’t have the staff to manage and secure cloud VMs, so server management is delegated to the cloud provider. However, they are still responsible for protecting their credentials and access keys, or face hefty bills if their accounts are abused. “The short execution times, sheer volume of processing, and dynamic, ephemeral nature of Lambda functions can make it difficult to detect, investigate, and respond to a potential compromise,” Cado researchers warned. “Under the AWS Shared Responsibility model, AWS secures the underlying Lambda runtime environment, but it’s up to the customer to secure the functions themselves,” the experts reminded.