New Malware Targeting AWS Lambda

Written by Edward Gately
April 6, 2022

Cado Security says it has discovered a new malware that specifically targets Lambda.

Lambda is a compute service offered by Amazon Web Services (AWS) for running code, server and OS maintenance, capacity provisioning, logging and operating numerous backend services. According to Cado Security, this cloud service is now at risk of infection by the malware strain.

Matt Muir is a security researcher with Cado Security.

“Cado Labs routinely analyzes cloud environments to look for the latest threats,” he said. “As part of ongoing research, we found the first publicly known case of malware specifically designed to execute in an AWS Lambda environment. We named this malware Denonia, after the name the attackers gave the domain it communicates with. The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls. Although this first sample is fairly innocuous in that it only runs cryptomining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks. From the telemetry we have seen, the distribution of Denonia so far has been limited.”

AWS sent us the following statement:

“Lambda is secure by default, and AWS continues to operate as designed. Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments. That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services.”

Moreover, the software described by the researcher does not exploit any weakness in Lambda or any other AWS service, it said. Since the software relies entirely on fraudulently obtained account credentials, it is a “distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself.”

John Bambenek is principle threat hunter at Netenrich.

“While it has been common for attackers to target automated environments to run cryptomining software, this is the first time that I’ve see Lambda targeted,” he said. “It comes as no surprise as many organizations have no real controls on development cloud resources and cryptomining is low-hanging fruit for hackers to monetize lax DevOps security.”

While Amazon secures the Lambda environment and the customer secures their code and account credentials, the question is how are account takeovers handled, Bambenek said.

“Amazon believes that’s the customer responsibility, and many organizations believe Amazon should have some checks in place,” he said. “Either way, it’s probably a no-brainer for Amazon to simply detect and prevent cryptocurrency mining in their environment (except for those instances specifically designed for it).”

Tags:

Edward Gately

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.