The discovery of this campaign highlights the concerns around large cloud environments in terms of lack of visibility and screening of malicious code that are part of a dynamic CI/CD pipeline. Despite the fact that the samples are not very sophisticated in their design or functionality, the simplicity of the code and functionality means that a threat like this could go on for weeks before being discovered.– Dr. Saumitra Das, CTO, Blue Hexagon
With the widespread prevalence of Lambda on AWS; the fact that it has now become the target of attackers should not be a surprise to anyone. The Denonia malware family appears to have been active for the past several months, with the aim of abusing Lambda services.
AWS Lambda is a serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers.
Denonia, named after the domain that it reaches out to, is a crypto miner. The malware developed in Go appears to have been created to run in a serverless Lambda environment with the goal of abusing resources to generate crypto-mining revenue from a compromised environment. A key part of this story – how the malware actually gets deployed or installed is still not clear.
Figure 1: Go Lang references
Deep Learning AI takes a deep dive
Blue Hexagon Threat Labs analyzed this malicious file and additional files that we were able to identify using our Deep Learning classifier shows that this campaign has been active for at least 6 months in the wild. Looking at malicious code in the deep learning embedding space allows us to find similarities in malicious samples that may not be evident via humans or other techniques like fuzzy hashing.
Figure 2: Main Miner routine with functionality to call back home
Exposure and Attack Methodology
The discovery of this campaign highlights the concerns around large cloud environments in terms of lack of visibility and screening of malicious code that are part of a dynamic CI/CD pipeline. Despite the fact that the samples are not very sophisticated in their design or functionality, the simplicity of the code and functionality means that a threat like this could go on for weeks before being discovered, by which point the attackers would have already generated revenue from the infection.
Figure 3: Multiple indications that the code was using open-source code and lacks sophistication
A key part of the story still missing is how the malicious code was introduced into serverless compute fabric. Some possibilities include:
- The threat was part of a larger kill chain targeting cloud infrastructure with admin credentials or was targeting environments where the credentials were compromised; giving the author the ability to set the malware in a serverless environment where security agent software cannot be deployed to find malicious code.
- It is common for attackers to obtain cloud access keys via infecting developer machines, servers or credentials leaked in code repositories.
- In some cases, attackers could get into public-facing instancing via a vulnerability (e.g. log4shell) and then use the instance metadata API or secrets lying around the filesystem in that instance to move laterally and gain further privilege in the cloud environment.
The usage of Lambda to run the cryptominer versus a container or instance is interesting. It could be because of the nature of credential access obtained by the attackers. It could also be more effective to hide the attack inside a Lambda. Organizations typically have a few hundred functions and they may not be as apparent as bringing up a new instance or container. The same function could also be invoked at scale to be less of an anomaly versus bringing up many instances or expensive multi-CPU instances.
Figure 4: The sample is dependent on being implanted and executed and it does not have the ability to steal credentials or execute itself.
Deep Learning Threat Detection
Blue Hexagon’s deep learning models have detected all known samples for this threat and have also surfaced additional samples from the past several months that we are currently investigating. This does not currently appear to be a widespread prevalent attack but we are sure that this would not be the last attack of its kind and other known variants may still be out there.
Organizations should inspect the configurations of their serverless compute as well as containers for secrets that could provide credentials to move laterally and perform attacks like these. Agentless threat detection on network traffic emanating from serverless compute can be used to find such malicious code entering the cloud infrastructure even if agents are an anti-pattern for ephemeral compute like Lambda.
Blue Hexagon also offers a courtesy trial or security assessment custom-designed to your cloud deployments.