April 12, 2022
Attackers were able to exploit and infiltrate AWS Lambda services using Denonia malware.
AWS Lambda is a server-less computing service provided by Amazon Web Services that allows code execution without server deployment or management.
While the process of compromise remains unknown, information about Denonia state that the malware uses the DNS protocol to encrypt DNS requests as HTTPS traffic.
This allows the malware to bypass detection and communicate in environments where DNS queries are blocked or unauthorized.
Once running, Denonia launches XMRig, a software to extract the cryptocurrency Monero. The malware then communicates with the IP address obtained from the DNS query on port 3333, a Monero mine pool.
While the investigation of the malware is still ongoing, there are now security tips for organizations. AWS customers need to keep AWS account information secure and not share it. Organizations are also recommended to activate multifactor authentication for each account.
Organizations should only use SSL/TLS (1.2 or later) protocols to communicate with AWS resources and API, and user activity should be enabled with AWS CloudTrail.
Businesses must ensure that all hardware used to access AWS Lambda is always up to date. In addition, the operating system should be patched to reduce the risk of infection by malware while working with AWS.
The sources for this piece include an article in TechRepublic.
