Hacked serverless functions are a crypto-gold mine for miscreants

Infosec bods warn of poorly secured tools auto-scaling, landing a jackpot for crooks


PureSec, a maker of security software for serverless apps, has been poking about various cloud service providers, and found that hosted functions offer a shortcut to illicit crypto-mining.

Crypto-mining attacks that hijack processing power do best with mass distribution. Those who can harness large numbers of processors – CPUs, GPUs, ASICs – for the proof-of-work calculations needed to generate digital currency can expect better returns than less focused schemes.

Generally, this requires widespread malware distribution or the spamming of weblinks to take intended victims to a central distribution point, such as a compromised website. This website would run crypto-mining code in JavaScript on the page in the visiting browser.

Cloud-based servers present a tempting target, but compromising a large enough number of compute instances on cloud infrastructure providers tends to be difficult. Attackers can scan millions of servers for remote code execution flaws in hosted software – e.g. Drupal – but that sort of thing tends to get noticed and shut down before long.

Serverless computing, specifically functions-as-a-service offerings – AWS Lambda, Azure Functions, Google Cloud Functions and IBM Cloud Functions – present an easy way to reach critical mass: auto-scaling.

I think I'm a clone now

Serverless functions provide distribution through self-replication. They can clone themselves on demand, allowing an attacker to turn one vulnerable hosted function into potentially thousands of compute instances simply by making repeated requests to the function.

"One vulnerability is enough," says PureSec in a report scheduled for public release on Tuesday. "Attackers only need to find a single vulnerable serverless function and abuse the inherent auto-scaling nature of the serverless platform in order to mimic the work of hundreds to thousands of machines working in parallel."

Auto-scaling is not a bug but a feature, one that magnifies the potential impact of bugs that do exist. And while serverless functions improve security in some ways – platform providers tend to keep servers up-to-date and patched – they can still include common application-level flaws like vulnerability to cross-site scripting or SQL injection. And then there's the issue of bugs in required libraries.

What's more, the focused nature of this particular attack vector – a single account – makes it more difficult to detect than, say, a sprawling botnet that includes millions of machines.

The risk for victims, beyond the usual remediation headaches, is a massive bill from spinning up thousands of servers – AWS Lambda, for example, has a concurrent execution limit of 1,000 by default.

PureSec, keen to pitch its code as a cure for this ill, suggests the bill for victims could reach US$120,000 per month. Cost-conscious cloud customers, however, are likely at least to have set up billing alerts to send word when costs skyrocket.

It should also be possible to shut down cloud computing resources programmatically once expenses reach a specified point, but none of the major cloud providers appear to offer this out of the box – it appears they'd rather not make it too easy for customers to limit spending. ®

Broader topics


Other stories you might like

  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Inverse Finance stung for $1.2 million via flash loan attack
    Just cryptocurrency things

    A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

    "Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

    And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty."

    Continue reading

Biting the hand that feeds IT © 1998–2022