IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Denonia named as first malware to target AWS Lambda platform

Deployment demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, Cado Security says

Security researchers at Cado Security have discovered the first publicly known malware specifically designed to target Amazon Web Services’ (AWS) Lambda platform.

Cado has named the software ‘Denonia’ after the name the attackers gave to the domain it communicates with. The Go-based software evades detection measures of complex cloud infrastructure to enable the mining of cryptocurrency through a modified version of the open-source crypto mining software XMRig.

Related Resource

How a platform approach to security monitoring initiatives adds value

Integration, orchestration, analytics, automation, and the need for speed

Whitepaper cover with title on burgundy square graphicFree Download

Essentially, it uses new newer address resolution techniques for command and control (C2) traffic to avoid detection and evade virtual network access controls.

Although not inherently malicious and has limited distribution, this method of running XMRig could prove indicative of future exploitation methods, Cado said.

“Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks,” Cado security researcher Matt Muir explained in a blog post.

Despite its numerous benefits, researchers said that Lambda’s short runtime durations, volume of executions, and the dynamic nature of its functions can make it difficult to detect, investigate and respond to a potential compromise.

Additionally, the AWS Shared Responsibility model means that AWS secures the underlying Lambda execution environment, while customers are responsible for securing the actual functions.

Although Denonia is designed to execute inside of Lambda environments, it is also possible for it to run in other Linux environments too – which makes sense when considering that Lambda serverless environments are underpinned by Linux.

However, it is not yet known how the attackers are deploying the software. Cado researchers suggest they may be compromising AWS Access and Secret Keys before manually deploying into compromised environments – which wouldn’t be the first time.

An AWS spokesperson confirmed that actors did not breach Lambda via a vulnerability.

“Lambda is secure by default, and AWS continues to operate as designed,” they said. “Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments.”

“That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services.”

AWS confirmed: “The software described by the researcher does not exploit any weakness in Lambda or any other AWS service.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Virgin Media O2 Business overhauls its approach to partner development
channel

Virgin Media O2 Business overhauls its approach to partner development

24 Jun 2022
Cloudflare unveils new One Partner Program with zero trust at its core
channel

Cloudflare unveils new One Partner Program with zero trust at its core

24 Jun 2022
UK government opts against regulation for cyber security standards
cyber attacks

UK government opts against regulation for cyber security standards

22 Jun 2022
VIVE announces new VIVE Flow Business Edition
augmented reality (AR)

VIVE announces new VIVE Flow Business Edition

22 Jun 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks
finance

Swift exit: How the world cut off Russian banks

24 Jun 2022