‘Denonia’ Study Points to New Potential Cyber Threat in the Cloud, Experts Say
We’re excited to bring Transform 2022 back in person on July 19 and pretty much July 20-28. Join AI and data leaders for insightful conversations and exciting networking opportunities. Register today!
Research showing the potential of malware to target a serverless computing platform is raising awareness about a potential avenue for cyber threat actors that many companies haven’t thought about before, security experts told VentureBeat.
On Wednesday, Cado Security — which provides a platform for investigation and response to cloud cyber incidents — released a blog post detailing its findings about the new malware. The Cado researchers named the malware “Denonia” after the domain the attackers communicated with, saying it was used to enable cryptocurrency mining through Amazon Web Services’ serverless platform, AWS Lambda.
In a statement, AWS said that “the software described by the researcher does not exploit any weaknesses in Lambda or any other AWS service.”
“The software relies entirely on fraudulently obtained account information,” AWS said, adding that “Denonia” isn’t really malware “because it doesn’t have the ability to gain unauthorized access to a system on its own.”
‘Never wasted time’
However, cybersecurity experts told VentureBeat that the Cado research is still valuable to the security community.
“It’s never a waste of time to analyze what attackers are doing,” said John Bambenek, principal threat hunter at IT and security company Netenrich. “If we don’t understand what criminals are doing, then cybersecurity is complete fiction.”
Big improvements in security can only be made “when people raise awareness about problems and work together to solve them,” said Casey Bisson, chief of product and developer relations at BluBracket, a code security solutions company.
“There is nothing in the report to suggest that AWS’ infrastructure is technically vulnerable. But it’s a vulnerable target in a practical sense, because monitoring and accounting for resources is more difficult for Lambda than it is for virtual machines, and the tools to manage them are less mature,” Bisson said.
As a result, this would be a great opportunity for AWS to suggest that its customers implement certain Lambda policies — such as requiring signed code — to ensure the workloads running there are genuine, he said.
Ultimately, the value of the Cado study is “to show what’s possible if a threat actor could run their code in a target Lambda environment” — even if the investigation doesn’t reveal an actual exploit, said Mike Parkin, senior technical engineer at Vulcan Cyber.
“How an attacker would deploy” [Denonia] is an entirely different question,” Parkin said.
Lambda is a popular AWS service for running application code without the need to provision or manage servers.
‘Not enough’
If nothing else comes out of the Cado investigative report, it “emphasizes that just using Amazon Lambda is not enough from a cybersecurity standpoint,” Bambenek said.
“It’s absolutely critical if organizations are going to adopt a shared security model, that they know exactly and exactly where the division of those responsibilities lies,” he said.
The shared responsibility model – a concept not unique to AWS – divides who is responsible for what when it comes to security in the public cloud. AWS summarizes its share of responsibility as the “security of the cloud,” including infrastructure such as compute, storage, and networking. Customers are responsible for everything else, that is, the ‘security in the cloud’.
But the line of where responsibilities are split can get blurry in some cases, as in this case with Lambda, Bambenek said.
Who protects what?
While AWS secures the Lambda environment itself — and the customer needs to know to secure their own account information and code — the issue of how account takeovers are handled isn’t so straightforward, according to Bambenek.
AWS has indicated that this part is essentially the customer’s responsibility, but many customers feel AWS should have controls around the account takeover issue, he said.
Either way, it’s “probably a good idea” for AWS to provide detection and prevention around crypto mining in their own environments, Bambenek said.
In its statement, AWS noted that “the [Cado] In fact, researchers admit that this software cannot access Lambda — and that when the software ran outside of Lambda in a standard Linux server environment, the software performed similarly.”
It’s also important to note that in their own blog the researchers clearly state that Lambda provides enhanced security over other computing environments in their own blog: ‘Under the AWS Shared Responsibility model, AWS protects the underlying Lambda execution environment, but the is up to the customer to secure features themselves,” and “the managed runtime environment reduces the attack surface compared to a more traditional server environment,” AWS said in its statement.
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more about membership.
This post ‘Denonia’ Study Points to New Potential Cyber Threat in the Cloud, Experts Say
was original published at “https://venturebeat.com/2022/04/07/denonia-research-points-to-new-potential-cloud-cyber-threat-experts-say/”
