AWS Lambda serverless

Cado Security researchers claim to have identified the first publicly known malware targeted against Amazon Web Services’ serverless computing technology, AWS Lambda, indicating a new cloud vulnerability that organisations should be aware of.

 “Because serverless is such a new technology, security protections may be disregarded,” said Matt Muir, one of the Cado Security researchers who found the virus targeting AWS Lambda. The virus was dubbed “Denonia” after the domain with which the attackers corresponded, and the researchers claim that it was used to facilitate cryptocurrency mining.

However, the arrival of malware targeting AWS Lambda signals that further serious cyberattacks against the service are unavoidable. Cado Security stated that it had informed AWS of its findings. “Lambda is secure by default, and AWS continues to operate as designed,” AWS said in a statement in response to a question regarding the reported malware detection. “Customers can run a variety of apps on Lambda,” AWS stated in a statement, adding that the company’s acceptable usage policy bans the compromise of any of its systems’ security.

Detection lacking

Serverless environments, according to Chris Doman, cofounder and CTO of Cado Security, will follow a similar danger trajectory to container environments, which are presently frequently hit by malware attacks. This means, among other things, that threat detection in serverless settings will have to catch up, according to Doman.

“Because existing security tools don’t have that visibility, the new approach of running code in serverless settings necessitates new security solutions.” “They won’t be able to see what’s going on,” Doman predicted. “It’s simply so unique.” Cado Security, which provides a platform for investigating and responding to cloud cyber issues, does not provide serverless detection tools.


Many companies hold the misconception that “simply because something is serverless, it must be perfectly safe.” But that isn’t the case. “If you can run code on it — especially if it’s a popular service — then an attacker will almost certainly be able to get in.” The attackers left few clues, so the Cado experts haven’t been able to figure out who was behind the Denonia malware.

According to the researchers, the attack used unusual address resolution techniques to obscure domain names, making it easier for the virus to communicate with other servers while avoiding detection. The absence of evidence and use of unusual approaches, combined with the fact that malware targeting AWS Lambda has never been seen before, indicates that the threat actors behind the attack have sophisticated understanding, according to the Cado experts. According to Muir, the hack most likely involved the compromising of an AWS account.

A bigger target

Other reasons for organisations to expect Lambda to be increasingly targeted by threat actors in the future include the growing use of AWS Lambda for running application code without the need to provision or manage servers.  Misconfigurations that expose data in Amazon S3 buckets have been less common in recent years, thanks in part to AWS’s own warnings when a user is ready to make a mistake, according to Doman.

But it isn’t the only method a malicious actor might acquire access to an S3 bucket; another option is to use a service that connects to S3. And it’s “quite usual” for Lambda to be granted access to S3, implying that attackers may try to utilise Lambda in the future to gain access to S3 bucket data, according to Doman. According to him, such data frequently contains personally identifiable information (PII), such as credit card numbers.

 “You may lose some pretty valuable data if that was breached [through Lambda],” Doman added. AWS updated its statement to say that “the programme presented by the researcher does not exploit any vulnerabilities in Lambda or any other AWS service,” according to VentureBeat. “The software is completely reliant on fraudulently obtained account credentials,” AWS explained, adding that “Denonia” isn’t actually malware because it “lacks the ability to gain unauthorised access to any system on its own.”

“What’s more, the researchers admit that this software doesn’t use Lambda — and that it performed similarly outside of Lambda in a typical Linux server environment,” AWS noted in a statement.

“It’s also worth noting that the researchers explicitly state in their blog that Lambda provides enhanced security over other compute environments: ‘under the AWS Shared Responsibility model, AWS secures the underlying Lambda execution environment, but it’s up to the customer to secure functions themselves,’ and ‘the managed runtime environment reduces the attack surface compared to a more traditional server environment.'”