AWS Lambda is a tool provided by Amazon Web Services that allows users to execute code without having to use a server. AWS states that Lambda is a “serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers.” Many cyber attacks have occurred to big businesses this year but more recently a group of cybercriminals have found an exploit in AWS Lambda and are able to run the newly discovered malware Denonia.
Denonia is a malware named after the domain that it has to communicate with which is gw.denonia.xyz. This malware is written in the Go programming language and it is used to mine the cryptocurrency Monero (XMR) with a custom version of XMRig mining software. As of now it is unknown how this malware is actually deployed but an initial statement from Cado Security explains “It may simply be a matter of compromising AWS Access and Secret keys then manually deploying into compromised Lambda environments, as we've see before with more simple Python scripts.”
Amazon Web Services has issued a statement regarding this attack:
“Lambda is secure by default, and AWS continues to operate as designed. Customers are able to run a variety of applications on Lambda, and this is otherwise indistinguishable to discovering the ability to run similar software in other on-premises or cloud compute environments. That said, AWS has an acceptable use policy (AUP) that prohibits the violation of the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device, and anyone who violates our AUP will not be allowed to use our services.”
“The software described by the researcher does not exploit any weakness in Lambda or any other AWS service. Since the software relies entirely on fraudulently obtained account credentials, it is a distortion of facts to even refer to it as malware because it lacks the ability to gain unauthorized access to any system by itself. What’s more, the researchers even admit that this software does not access Lambda--and that when run outside of Lambda in a standard Linux server environment, the software performed similarly. It is also important to note that the researchers clearly say in their own blog that Lambda provides enhanced security over other compute environments in their own blog: ‘under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment but it is up to the customer to secure functions themselves’ and ‘the managed runtime environment reduces the attack surface compared to a more traditional server environment.”
A few ways to protect against Denonia :
1) Try not to use root when working on daily tasks.
2) Enable multi-factor authentication on your AWS root account for an extra layer of protection
3) Delete your access key for your AWS root account. If you need an access key then change it routinely.
4) Do not share your root credentials or access keys to any unauthorized users.