‘Denonia’ research points to new potential cloud cyber threat, experts say

We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!


Research highlighting the potential for malware to target serverless computing platforms raises awareness about potential avenues for cyber-risk artists that many businesses have not thought of before, security experts told VentureBeat.

On Wednesday, Cado Security – which provides a platform for cloud investigation and response to cyber incidents – published a blog post with its findings on new malware. Cado researchers named the malware “Denonia” after the domain with which the attackers communicated and said it was used by Amazon Web Services’ serverless platform, AWS Lambda, to enable cryptocurrency mining.

In a statement, AWS said that “the software described by the researcher does not use any vulnerabilities in Lambda or any other AWS service.”

“The software relies entirely on fraudulently obtained account credentials,” AWS said, adding that “Denonia” does not really create malware “because it lacks the ability to automatically gain unauthorized access to any system.”

‘Never waste time’

However, cyber security experts told VentureBeat that Caddo research is still valuable to the security community.

“It’s never too late to analyze what the attackers are doing,” said John Bambanek, chief threat hunter at IT and security operations firm Netenrich. “If we don’t understand what criminals do, cybersecurity is a fantasy.”

Casey Bissen, head of product and developer relationships at code security solutions firm BlueBracket, said “major security improvements can only be achieved if people are aware of the problems and work together to solve them.”

“There is nothing in the report to suggest that AWS’s infrastructure is technically sensitive. But in a practical sense, it is a sensitive target because it is more difficult to monitor and account for resources on Lambda than on virtual machines, and the tools to operate it are less mature, “said Bisne.

As a result, it would be a great opportunity for AWS to suggest that its customers formulate specific Lambda policies – such as the need for a signed code – as a way to ensure that the ongoing workload there is real, he said.

Ultimately, the value in caddo research is that “if the risky actor can get his code to implement his code in a targeted lambda environment to show what is possible” – even if the research does not reveal any real exploitation, Mike Parkin said. Vulcan Cyber.

“How will the attacker deploy [Denonia] That’s a completely different question, “said Parkin.

Lambda is a popular AWS service for running application code without the need for server provision or management.

‘Not enough’

If nothing else comes out of the Caddo research report, “it highlights that the use of Amazon Lambda is not enough from a cyber security standpoint,” Bambanek said.

“It’s critical if organizations are going to adopt a shared security model, that they know exactly where the division of responsibilities is,” he said.

The shared responsibility model – a concept that is not unique to AWS – specifies who is responsible for when it comes to security in the public cloud. AWS summarizes its share of responsibility as “security” No. Cloud, “which includes infrastructure such as computers, storage and networking. Consumers are responsible for everything else – that is,” security. In The cloud. “

But the line where responsibilities are divided may be blurred in some cases, as in the case with Lambda, Bambanek said.

Who protects what?

While AWS itself protects the Lambda environment – and consumers should know that they should protect their own account credentials and codes – according to Bambanek, the issue of how account takeovers are handled is not so straightforward.

AWS has suggested that this part is actually the customer’s responsibility, but many customers believe that AWS should investigate the issue of account takeover, he said.

Regardless, it’s a “probably no-brainer” for AWS to provide exploration and prevention around crypto mining in their own environment, Bambanek said.

In a statement, AWS noted that “The [Cado] Researchers also acknowledge that the software does not access Lambda – and that the software works the same way when it is run in a standard Linux server environment outside Lambda. “

It is also important to note that the researchers explicitly state in their own blog that Lambda offers enhanced protection over other compute environments in their own blog: ‘Under the AWS Shared Responsibility model, Lambda execution under AWS protects the environment but depends on it. In order to protect the customer ‘s operations, and’ systematic runtime environments reduce the level of attack compared to more traditional server environments, ‘AWS said in a statement.

Venturebeat’s mission Digital Town Square is set to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more about membership.

Similar Posts

Leave a Reply

Your email address will not be published.