Cloud Hosting

Amazon Web Services (AWS) Lambda, serverless computings poster child, is over seven years old. So, perhaps whats amazing isnt that the first malware specifically targeting Lambda, Denonia is here, its that it took so long for one to arrive.

Oh well. It had to happen eventually.

Its important to note, though, that while Denonia runs on Lambda, its not a Lambda-specific program. Instead, its a Linux 64-bit ELF executable, which uses several third-party libraries, including one that enables it to run inside AWS Lambda environments.

According to Matt Muir, a security researcher with Cado Security, a cloud-security company, who discovered it, while the program has the filename python, its actually written in Go. This nasty bit of software contains a customized variant of the open source XMRig mining software.

Denonia, Muir said, is clearly designed to execute inside of Lambda environments we havent yet identified how it is deployed. It may simply be a matter of compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments, as weve seen before with more simple Python scripts.

It appears that this is how Denonia is spread. It cant spread itself. It requires an already compromised user account.

As AWS pointed out in a statement, Denonia does not exploit any weakness in Lambda or any other AWS service. It gets through AWSs doors by relying on fraudulently obtained account credentials. Therefore, AWS concludes, Denonia isnt really malware since it lacks the ability to gain unauthorized access to any system by itself.

Actually, while malware that spreads itself is far more dangerous than malware that doesnt, most security experts would agree that its still malware. Still, AWS asserts that Calling Denonia a Lambda-focused malware is a distortion of fact, as it doesnt use any vulnerability in the Lambda service. That last part is certainly true. But you still dont want it running on your Lambda services.

Denonia can also run outside of Lambda. It will run on generic 64-bit Linux, as well.

Another factor that makes Denonia dangerous is that instead of using DNS to contact its controller, it uses DNS over HTTPS (DoH). DoH encrypts DNS queries and sends the requests out as regular HTTPS traffic to DoH resolvers. For attackers, Muir comments it provides two advantages:

There have long been serious security concerns with DoH. As Paul Vixie, DNSs creator tweeted in 2018, RFC 8484 (The Request for Comment that defined DoH) is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum.

Vixies far from the only one. The SANS Institute, one of the worlds largest cybersecurity training organizations, said that the unmitigated usage of encrypted DNS, particularly DNS over HTTPS, could allow attackers and insiders to bypass organizational controls. Denonias use of DoH underlines that theres a real danger in what has heretofore been theoretical concerns.

Still, while Lambda itself is safer than other compute environments, keep in mind that as Amazon warns under the AWS Shared Responsibility Model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves. In other words, if you open the door to a program like Denonia, its your security problem, not AWSs.

So, as always, be careful out there people! AWS has an excellent white paper on securing Lambda environments, youd be well advised to use its recommendations. Lambda may well be safer than most compute platforms, but, as ever, security is a process, not a product. You must do your part as well.

Continue reading here:
First Malware Running on AWS Lambda Discovered The New Stack - thenewstack.io