Cado Security has found the first publicly known case of malware specifically targeted at AWS Lambda, Amazon Web Services’ serverless computing platform. The malware, known as Denonia, uses newer address resolution techniques for command and control traffic to avoid usual detection measures and virtual network access controls. The first sample that has been discovered only runs crypto-mining software and is thought to be relatively innocuous, however, it does signal a new cloud threat that could potentially lead to more dangerous attacks in the future.
Cado Security reported the threat to AWS upon its discovery. Matt Muir, one of the researchers who found the malware, noted in a blog that Lambda serverless functions which are increasingly being utilized by organizations do have numerous security benefits. However, it can be difficult to detect potential compromises due to the sheer volume of executions and short runtime durations. Although Cado Security does offer an investigation and response platform for cloud environments, it does not currently offer tools for serverless environments.
AWS has responded in a statement saying that Denonia does not really constitute malware as it lacks the ability to gain unauthorized access to any system by itself. The company noted that although AWS secures the underlying Lambda execution environment, customers still need to secure functions themselves. The managed runtime environment reduces the attack surface compared to traditional server environments.
There can be a misconception in organizations that just because some is serverless that it is safe. However, Cado Security has said that organizations should be made aware of the potential security threats for severless environments and should expect a similar threat trajectory to that of container environments. Serverless environments require new security tools to address the need for more visibility in detecting potential threats, which existing security tools just do not have.
It is not clear who could have been responsible for the Denonia malware but it has been noted that the unusual techniques that were used that left very little traces behind indicate that the threat actor likely has advanced knowledge.