Key Takeaways:
- Malware packages are becoming an increasingly popular means of compromising systems. Cyber attackers are now using malware to target advanced cloud infrastructures. Cado Security researchers discovered a kind of malware that is specifically designed to target Amazon Web Services (AWS) Lambda cloud settings.
- ‘Denonia,’ the new infection, is primarily a crypto mining trojan. It attacks AWS Lambda settings and launches viral cryptominers that mine Monero cryptocurrency on a regular basis.
- A 64-bit executable pattern centred on x86-64 techniques has been uncovered by researchers. In February, this virus was uploaded to VirusTotal. They later discovered a second pattern uploaded a month earlier in January, indicating that the assaults lasted at least a few months.
Denonia is a new malware that targets Amazon Web Services Lambda cloud settings. AWS Lambda is a serverless, event-driven compute device that allows you to run code from AWS services and SaaS apps for any type of application. It does its function without the requirement for server management. Denonia has been designed specifically for crypto mining using Lambda.
Denonia is a Go-based wrapper designed to deploy a bespoke XMRig cryptominer to mine for Monero cryptocurrency, according to Cado Security researchers who discovered it being used in limited assaults.
They discovered a 64-bit ELF executable for x86-64 platforms that was uploaded to VirusTotal in February. They also identified a second sample that had been uploaded a month before, in January, indicating that the attacks had been ongoing for at least a few months.
“Although this first sample is relatively harmless in that it only runs crypto-mining software,” the Cado researchers said, “it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks.”
Cado experts were unable to figure out how the hackers were able to disseminate their malware in the infected environments. Hackers may have used stolen AWS Access and secret keys, according to researchers. “While managed runtime environments lower the system vulnerabilities, lost or stolen credentials can swiftly result in enormous financial losses due to the difficulties of detecting a possible breach,” the researchers wrote. They believe the hackers exploited stolen or leaked AWS Access and Secret Keys, a method that has previously been used to distribute bash scripts that download and start miners. After the miner had been active for a few weeks, this resulted in $45,000 in charges.
Denonia was clearly developed for AWS Lambda, as it checks for Lambda environment variables before execution, but Cado Security discovered that it may also operate without problems on some Linux servers (e.g., Amazon Linux boxes).
Under the shared-responsibility security model used by Amazon and other cloud providers, AWS secures the underlying environment — Lambda in this example — while the client is responsible for their own data and Lambda functions. To put it another way, if you acquire Denonia in your Lamba environment, it’s likely because you didn’t adequately secure or defend it.
The virus also includes various third-party Go libraries, like as tools for building Lambda functions, assistance for getting contextual information from a Lambda invoke request, generic AWS software development kits for Go, and DNS-over-HTTPS in Go, according to the infosec team.
The use of DNS-over-HTTPS (DoH) is intriguing, according to Muir. DoH encrypts DNS queries and sends domain name requests over HTTPS, which he describes as a “very rare decision” for malware programmers. However, there are a few advantages to this strategy.
Denonia, according to other security researchers, continues to be confused about the shared-responsibility security architecture, particularly with emerging computing models like serverless functions.
In an email, Oliver Tavakoli, CTO of AI security firm Vectra, said that shared accountability “sounds fantastic as an abstract notion.” However, he said that many Lambda users are unaware of the security consequences.
“Cloud service providers have a responsibility to educate their clients about these consequences and to chose defaults that maximise the chance of secure deployments over those that decrease deployment friction while exposing customers to poorly understood risk,” he said.
