Researchers at Cado Security discovered the first publicly known malware specifically targeted at AWS serverless computing platform Lambda dubbed Denonia the name of the domain that the attackers communicated with and say that it was utilized to enable cryptocurrency mining.
Cado Security said it has reported its findings to AWS. In a statement in response to an inquiry about the reported malware discovery, AWS said that “Lambda is secure by default, and AWS continues to operate as designed.”
“Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments,” AWS said in the statement adding that the company’s acceptable use policy prohibits the violation of the security of any of its systems.
The new way of running code in serverless environments requires new security tools, because the existing ones simply don’t have that visibility. Cado Security, which offers a platform for investigation and response to cloud cyber incidents, does not itself offer detection tools for serverless environments.
The Cado researchers have not pinpointed who may have been responsible for the Denonia malware, as the attackers left few clues behind. The attack leveraged uncommon techniques around address resolution to obfuscate domain names, making it easier for the malware to communicate with other servers while evading detection, according to the researchers.
This lack of clues and use of unusual techniques on top of the fact that malware targeting AWS Lambda hasn’t been known to exist previously suggest the threat actors behind the attack are in possession of advanced knowledge.
The attack also most likely involved a compromise of an AWS account. In addition to the growing popularity of AWS Lambda for running application code without the need to provision or manage servers there are other reasons that businesses can expect Lambda to be increasingly targeted by threat actors going forward.