Denonia Malware Shows Evolving Cloud Threats

Cloud security is constantly evolving and consistently different than defending on-premises assets. Demonia, a recently discovered serverless crypto miner drives home the point.

One of the more important points to get across when addressing cloud security is to make it clear to all involved that cloud security is not only different but that it keeps evolving. If security professionals needed a reminder of this, they need to look no further than the recent discovery of Denonia, a crypto miner that operates in serverless environments.

Denonia was found by the Cado Security research team, and it released details a few days ago. Denonia is a Go-based crypto-miner malware, and it appears to be the first such malware to specifically exploit AWS Lambda, the well-known serverless function execution service. The researchers indicate that Denonia was not widely disseminated and that it executes the XMRig mining software for stealing CPU cycles for mining Morero, while using techniques such as DNS-over-HTTPS (DoH) for evasion. The initial deployment mechanism is unknown but may be a matter of overprivileged environments.

While small in scope, Denonia is notable for its use of the cloud technology stack as intended —it’s a Lambda function executing on a Linux environment like any other. This is interesting, as it means similar malware can execute in other serverless function execution environments from other cloud providers as well.

How the Vulnerabilities Differ
To be clear, this is different than some of the vulnerabilities that have been reported across major providers recently, such as ChaosDB (a flaw in Azure’s CosmosDB service found by the Wiz security team last year), AWS CloudFormation, and AWS Glue issues found by Orca Security, and some of the Google Cloud GKE vulnerabilities raised by the Palo Alto Networks Unit 42 security research team. In those cases, the cloud providers worked directly with the research teams to address those issues.

When discussing cloud security, too often we hear some confusion about security responsibilities. While cloud providers have worked to clarify some of this via their different “shared responsibility models,” end-user organizations retain the overall responsibility for securing their cloud estates. Cloud providers are responsible for the structural security of the cloud environment itself, but customers are responsible for the workloads. This includes both ensuring that environments have been properly configured with the adequate mixture of configurations that yield capabilities and privileges — often the realm of cloud security posture management (CSPM) and cloud permissions management (CPM) offerings — and also ongoing monitoring of the multiple events taking place within those cloud estates, which may fall under cloud workload protection platforms (CWPP) or even cloud detection and response (CDR).

Read more:

You can also read this: New Hacking Campaign Targeting Ukrainian Government with IcedID Malware

Leave a Reply

Your email address will not be published. Required fields are marked *