Malware programs have become an increasingly popular way of compromising systems. This time, cyber criminals are using malware to target advanced cloud infrastructures. Researchers at Cado Security have discovered a piece of malware specifically engineered to target Amazon Web Services (AWS) Lambda cloud environments.
The new malware, dubbed ‘Denonia’ is basically a crypto mining malware. It infects AWS Lambda environments and deploys infectious cryptominers which then automatically mines Monero cryptocurrency. For the uninitiated, AWS Lambda is a computing platform used by more than 8000 companies, which is used to run serverless websites, or for instance automated backups. Mostly, companies that rely on heavy softwares use Amazon’s Lambda web service.
According the researchers, Denonia isn’t being used for anything worse than illicit mining activities, “it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” wrote Cado’s Matt Muir in a blog post.
Crypto mining, essentially, is running set of programs on either high end devices or on cloud-based environments to earn cryptocurrencies.
Researchers found a 64-bit executable sample that is targeting x86-64 systems. This malware is uploaded to VirusTotal in February. In January, they later discovered a second sample uploaded a month earlier, hinting at these attacks spanning at least a couple of months.
“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” the Cado researchers said.
It should be noted that Cado researchers weren’t able to find was how the attackers were able to deploy their malware onto compromised environments. However, the researchers suspect that the hackers likely used stolen AWS Access and Secret Keys. “This shows that, while such managed runtime environments decrease the attack surface, misplaced or stolen credentials can lead to massive financial losses quickly due to difficult detection of a potential compromise,” the researchers noted.
“Under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves. We suspect this is likely due to Lambda “serverless” environments using Linux under the hood, so the malware believed it was being run in Lambda (after we manually set the required environment variables) despite being run in our sandbox,” the researchers added.