Beware of exposed serverless cloud functions, Mandiant warns

The rise of generative AI means the firm's seeing more vulnerable environments: here's what it thinks you should do

A CGI graphic showing a cloud with up and down arrows, hovering above a futuristic TRON-style computer environment, to represent hybrid cloud.
(Image credit: Getty Images)

Google's Mandiant has warned that exposed serverless cloud functions can give attackers access to secrets and broader cloud environments, urging enterprises to implement new hardening measures.

Serverless deployments generally run custom-developed code that incorporates third-party packages, making them targets for a wide range of application-level attacks, including local and remote file inclusion (LFI/RFI) and command injection.

Mandiant said it’s observed an uptick in the number of public-facing serverless applications that lack authentication, often because of specific business requirements.

The rapid acceleration of generative AI adoption is a big factor here, the researchers noted, with AI workflows, including chatbot interactions, image generation, vibe coding, and multi-step AI agents relying on serverless functions to complete tasks for users.

Latest Videos From

Once they've managed to exploit an entry point, attackers typically attempt to escalate privileges or move laterally.

Common techniques include extracting secrets stored directly within the application code, reviewing application logic and sensitive data to identify further attack vectors within the environment, and exfiltrating service account bearer tokens from the metadata server via remote code execution (RCE).

"Leveraging these compromised secrets or service accounts allows threat actors to pivot to adjacent systems and workloads, potentially resulting in a total environment takeover if proper hardening strategies are not in place," said Mandiant security consultant Corné de Jong.

Shoring up defenses

The firm recommends a multi-pronged approach to harden security, including integration of security scanning, code reviews, and least-privilege identity and access management (IAM) capabilities within CI/CD pipelines before deployment.

When it comes to vibe coding, Mandiant recommends multi-layered security enforcement: isolating AI experimentation within dedicated sandbox environments and enforcing strict data egress controls to protect production systems and internal data.

Meanwhile, development environments should be restricted to approved IDEs with human-in-the-loop capabilities, using only verified plugins operating under least privilege to mitigate supply chain vulnerabilities.

Organizations will then need to ensure that all AI-generated software follows Secure Software Development Lifecycle (S-SDLC) controls, while establishing clear internal guidelines regarding permitted use cases.

Keep it in-house

As for runtime controls, Mandiant said that public-facing Cloud Run services should be hosted in a dedicated, isolated Google Cloud project to make sure attackers aren't simply given immediate access to critical internal resources.

Organizations should also restrict ingress traffic for serverless functions to internal only, and use an external Layer 7 ALB to manage internet exposure.

Here, it recommended Cloud Armor, which it said provides Web Application Firewall (WAF) protections that can be integrated with the Load Balancer to filter malicious traffic.

One aspect of a broader architecture

Notably, de Jong warned that hardening Cloud Run services is “only one part of a secure architecture” and a weak link elsewhere in the chain could result in disaster.

“Because these services often connect to other Google Cloud resources, a single compromise can expose additional services. Implementing defense-in-depth is critical,” he said.

“Specifically, when using direct VPC egress or VPC Access connectors, use VPC Service Controls to restrict lateral movement and exfiltration through granular access policies."

While serverless functions are designed to make cloud development faster and more flexible, threat actors are starting to find them as just as convenient, according to Nick Tausek, lead security automation architect at Swimlane.

"An alert tied to one function may suddenly become an identity issue or a lateral movement problem. Manual handoffs slow everything down at exactly the wrong moment. Security operations need to preserve context and adapt response actions as new risks emerge," he said.

"Integration of agentic AI into security platforms can support that process by connecting signals across tools, carrying investigative context forward and helping security teams determine the next appropriate action as an incident evolves.”

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.