IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Denonia named as first malware to target AWS Lambda platform

Deployment demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, Cado Security says

Security researchers at Cado Security have discovered the first publicly known malware specifically designed to target Amazon Web Services’ (AWS) Lambda platform.

Cado has named the software ‘Denonia’ after the name the attackers gave to the domain it communicates with. The Go-based software evades detection measures of complex cloud infrastructure to enable the mining of cryptocurrency through a modified version of the open-source crypto mining software XMRig.

Related Resource

How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

Whitepaper cover with title on burgundy square graphicFree Download

Essentially, it uses new newer address resolution techniques for command and control (C2) traffic to avoid detection and evade virtual network access controls.

Although not inherently malicious and has limited distribution, this method of running XMRig could prove indicative of future exploitation methods, Cado said.

“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” Cado security researcher Matt Muir explained in a blog post.

Despite its numerous benefits, researchers said that Lambda’s short runtime durations, volume of executions, and the dynamic nature of its functions can make it difficult to detect, investigate and respond to a potential compromise.

Additionally, the AWS Shared Responsibility model means that AWS secures the underlying Lambda execution environment, while customers are responsible for securing the actual functions.

Although Denonia is designed to execute inside of Lambda environments, it is also possible for it to run in other Linux environments too – which makes sense when considering that Lambda serverless environments are underpinned by Linux.

However, it is not yet known how the attackers are deploying the software. Cado researchers suggest they may be compromising AWS Access and Secret Keys before manually deploying into compromised environments – which wouldn’t be the first time.

An AWS spokesperson confirmed that actors did not breach Lambda via a vulnerability.

“Lambda is secure by default, and AWS continues to operate as designed,” they said. “Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments.”

“That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services.”

AWS confirmed: “The software described by the researcher does not exploit any weakness in Lambda or any other AWS service.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Accelerating security and success for MSPs with automation
Sponsored

Accelerating security and success for MSPs with automation

25 May 2022
Schneider Electric unveils Grid Operations Platform as a Service on Microsoft Azure
cloud computing

Schneider Electric unveils Grid Operations Platform as a Service on Microsoft Azure

24 May 2022
T-Mobile unveils new 5G Advanced Network Solutions
Network & Internet

T-Mobile unveils new 5G Advanced Network Solutions

24 May 2022
Google unveils new Assured Open Source Software service
open source

Google unveils new Assured Open Source Software service

18 May 2022

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022