The increased adoption of cloud computing across industries has a significant impact on how businesses manage operations and deliver a strong return on investment. Organizations leverage serverless functions for various use cases, such as developing cloud-native applications, processing event-based tasks, and moving workloads to the cloud.
AWS Lambda is a serverless service from Amazon Web Services that fits into the event-driven paradigm. AWS Lambda offers a powerful toolkit for building secure and scalable applications. But cybercriminals have found a way to exploit and run malware on AWS Lambda since its functions allow code to run for virtually any application or backend service from any web or mobile app.
According to the Cado Labs research report, Denonia malware is the first of its kind designed specifically to target the AWS Lambda environment. The malware takes its name from the domain ‘gw.denonia.xyz
’ that it communicates with.
The analysis suspects that cybercriminals have compromised AWS access and secret keys and then manually deployed the malware into the compromised AWS Lambda environments.
The dynamic analysis discovered that the sample used DNS over HTTPS (DoH) instead of traditional DNS. DoH encrypts DNS queries and sends the requests out as regular HTTPS traffic to DoH resolvers.
The malware sends requests using the “doh-go” library to the below URLs:
hxxps://cloudflare-dns[.]com/dns-query?name=gw[.]denonia[.]xyz&type=A hxxps://dns[.]google[.]com/resolve?name=gw[.]denonia[.]xyz&type=A
The attacker-controlled domain gw.denonia[.]xyz
resolves to IP address 116.203.4[.]0
and writes into a config file at /tmp/.xmrig.json
. The malware launches XMRig, a software designed to mine for the Monero cryptocurrency from memory, and uses /tmp,
the only writable folder in a Lamba environment. The malware then communicates with the IP address obtained from the DNS query on port 3333, a Monero mining pool.
Achieving early detection of insider and external threats with the ability to detect stolen credential attacks can significantly reduce the risk of a successful attack. SentinelOne offers the following solutions to detect anomalous behavior that may indicate attacker presence within the AWS environment.
The SentinelOne Hologram solution deploys decoys such as EC2 instances, S3 buckets, Lambda functions, and Dynamo DB databases across various cloud accounts. Cybercriminals attempt to discover cloud resources and services to gain access and exploit. The solution can detect cloud discovery techniques and alerts when an attacker tries to access AWS Lambda functions.
Cybercriminals use various methods to steal or reuse cloud credentials to access serverless functions from compromised endpoints. The SingularityTM Identity solution helps create and distribute deceptive cloud objects (such as secret keys, credentials, or URLs) as lures on both endpoints and servers. The solution detects and misdirects their lateral movement attempts from the serverless infrastructure to the engagement environment.
It is not the first time that cybercriminals have exploited AWS services. In the past, attackers gained access to an organization’s misconfigured S3 buckets and performed malicious activities. SentinelOne provides visibility to identity entitlement across multi-cloud environments, arming organizations with knowledge of their attack surface and helping mitigate risks associated with users, roles, and entitlements across cloud environments.
Security and compliance are shared responsibilities between AWS and the customer. The shared responsibility model can help relieve an organization’s operational burden. However, following best practices and recommendations can help protect customers from potential compromises.
Safeguarding against identity threats requires a multi-layered security strategy. Organizations can reduce their cloud resources risk by deploying SentinelOne identity and deception solutions and creating cloud baits such as deceptive logins and access keys on the endpoints.
Singularity Hologram
Singularity™ Hologram is network-based threat deception that lures in-network and insider threat actors into engaging and revealing themselves.