Cloud Services / Security / Serverless

First Malware Running on AWS Lambda Discovered

14 Apr 2022 11:53am, by

Amazon Web Services (AWS) Lambda, serverless computing’s poster child, is over seven years old. So, perhaps what’s amazing isn’t that the first malware specifically targeting Lambda, Denonia is here, it’s that it took so long for one to arrive.

Oh well. It had to happen eventually.

It’s important to note, though, that while Denonia runs on Lambda, it’s not a Lambda-specific program. Instead, it’s a Linux 64-bit ELF executable, which uses several third-party libraries, including one that enables it to run inside AWS Lambda environments.

According to Matt Muir, a security researcher with Cado Security, a cloud-security company, who discovered it, while the program has the filename “python,” it’s actually written in Go. This nasty bit of software contains a customized variant of the open source XMRig mining software.

“Denonia,” Muir said, “is clearly designed to execute inside of Lambda environments — we haven’t yet identified how it is deployed. It may simply be a matter of compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments, as we’ve seen before with more simple Python scripts.”

Compromised Accounts

It appears that this is how Denonia is spread. It can’t spread itself. It requires an already compromised user account.

As AWS pointed out in a statement, Denonia “does not exploit any weakness in Lambda or any other AWS service.” It gets through AWS’s doors by relying “on fraudulently obtained account credentials.” Therefore, AWS concludes, Denonia isn’t really malware since “it lacks the ability to gain unauthorized access to any system by itself.”

Actually, while malware that spreads itself is far more dangerous than malware that doesn’t, most security experts would agree that it’s still malware.  Still, AWS asserts that “Calling Denonia a Lambda-focused malware is a distortion of fact, as it doesn’t use any vulnerability in the Lambda service.” That last part is certainly true. But you still don’t want it running on your Lambda services.

Denonia can also run outside of Lambda. It will run on generic 64-bit Linux, as well.

DNS over HTTPS (DoH)

Another factor that makes Denonia dangerous is that instead of using DNS to contact its controller, it uses DNS over HTTPS (DoH). DoH encrypts DNS queries and sends the requests out as regular HTTPS traffic to DoH resolvers. For attackers, Muir comments it provides two advantages:

  • AWS cannot see the DNS lookups for the malicious domain, reducing the likelihood of triggering a detection
  • Some Lambda environments may not perform DNS lookups, depending on VPC settings.

There have long been serious security concerns with DoH. As Paul Vixie, DNS’s creator tweeted in 2018, “RFC 8484 (The Request for Comment that defined DoH) is a cluster duck for internet security. Sorry to rain on your parade. The inmates have taken over the asylum.”

Vixie’s far from the only one. The SANS Institute, one of the world’s largest cybersecurity training organizations, said that “the unmitigated usage of encrypted DNS, particularly DNS over HTTPS, could allow attackers and insiders to bypass organizational controls.” Denonia’s use of DoH underlines that there’s a real danger in what has heretofore been theoretical concerns.

Still, while Lambda itself is safer than other compute environments, keep in mind that as Amazon warns “under the AWS Shared Responsibility Model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves.” In other words, if you open the door to a program like Denonia, it’s your security problem, not AWS’s.

So, as always, be careful out there people! AWS has an excellent white paper on securing Lambda environments, you’d be well advised to use its recommendations. Lambda may well be safer than most compute platforms, but, as ever, security is a process, not a product. You must do your part as well.