Enterprise cybersecurity technology research that connects the dots.

Denonia Malware Shows Evolving Cloud Threats

Cloud security is constantly evolving and consistently different than defending on-premises assets. Denonia, a recently discovered serverless cryptominer drives home the point.

Fernando Montenegro, Senior Principal Analyst, Omdia

April 20, 2022

3 Min Read
Source: <a href="https://pixabay.com/users/tumisu-148124/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=3019120">Tumisu</a> from <a href="https://pixabay.com/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=3019120">Pixabay</a>

One of the more important points to get across when addressing cloud security is to make it clear to all involved that cloud security is not only different, but that it keeps evolving. If security professionals needed a reminder of this, they need to look no further than the recent discovery of Denonia, a cryptominer that operates in serverless environments.

Denonia was found by the Cado Security research team, and it released details a few days ago. Denonia is a Go-based cryptominer malware, and it appears to be the first such malware to specifically exploit AWS Lambda, the well-known serverless function execution service. The researchers indicate that Denonia was not widely disseminated and that it executes the XMRig mining software for stealing CPU cycles for mining Morero, while using techniques such as DNS-over-HTTPS (DoH) for evasion. The initial deployment mechanism is unknown but may be a matter of overprivileged environments.

While small in scope, Denonia is notable for its use of the cloud technology stack as intended —it's a Lambda function executing on a Linux environment like any other. This is interesting, as it means similar malware can execute in other serverless function execution environments from other cloud providers as well.

How the Vulnerabilities Differ
To be clear, this is different than some of the vulnerabilities that have been reported across major providers recently, such as ChaosDB (a flaw in Azure's CosmosDB service found by the Wiz security team last year), AWS CloudFormation and AWS Glue issues found by Orca Security, and some of the Google Cloud GKE vulnerabilities raised by the Palo Alto Networks Unit 42 security research team. In those cases, the cloud providers worked directly with the research teams to address those issues.

When discussing cloud security, too often we hear some confusion about security responsibilities. While cloud providers have worked to clarify some of this via their different "shared responsibility models," end-user organizations retain the overall responsibility for securing their cloud estates. Cloud providers are responsible for the structural security of the cloud environment itself, but customers are responsible for the workloads. This includes both ensuring that environments have been properly configured with the adequate mixture of configurations that yield capabilities and privileges — often the realm of cloud security posture management (CSPM) and cloud permissions management (CPM) offerings — and also ongoing monitoring of the multiple events taking place within those cloud estates, which may fall under cloud workload protection platforms (CWPP) or even cloud detection and response (CDR).

The lesson, then, to be learned from the discovery of Denonia is that cloud security keeps evolving: Runtime threats against an organization are not simply the same malware that would execute on a virtual machine but evolve into containers — indeed, exposed container management interfaces or those with poor authentication are often used to launch unauthorized workloads — and now serverless workloads. Organizations looking to address this dynamic need to have the right elements of people, processes, and technology to properly understand the new threat landscape, to look deeply into their cloud stack, and to work together with their cloud engineering and development teams.

About the Author(s)

Fernando Montenegro

Senior Principal Analyst, Omdia

Fernando Montenegro joined Omdia in 2021 as a Senior Principal Analyst on the Omdia Cyber research team, based in Toronto, Canada. He focuses on the Infrastructure Security Intelligence Service, which provides vendors, service providers, and enterprise clients with insights and data on network security, content security, and more.

Fernando’s experience in enterprise security environments includes network security, security architecture, cloud security, endpoint security, content security, and antifraud. He has a deep interest in the economic aspects of cybersecurity and is a regular speaker at industry events.

Before joining Omdia in 2021, Fernando was an industry analyst with 451 Research. He previously held a variety of operations, consulting, and sales engineering roles over his 25+ years in cybersecurity, always focusing on enterprise security at organizations including vArmour, RSA, Crossbeam, Hewlett Packard, and Nutec/Terra. Fernando holds a Bachelor of Science in computer science and different industry certifications.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights