Hacked serverless functions are a crypto-gold mine for miscreants
Infosec bods warn of poorly secured tools auto-scaling, landing a jackpot for crooks
PureSec, a maker of security software for serverless apps, has been poking about various cloud service providers, and found that hosted functions offer a shortcut to illicit crypto-mining.
Crypto-mining attacks that hijack processing power do best with mass distribution. Those who can harness large numbers of processors – CPUs, GPUs, ASICs – for the proof-of-work calculations needed to generate digital currency can expect better returns than less focused schemes.
Cloud-based servers present a tempting target, but compromising a large enough number of compute instances on cloud infrastructure providers tends to be difficult. Attackers can scan millions of servers for remote code execution flaws in hosted software – e.g. Drupal – but that sort of thing tends to get noticed and shut down before long.
Serverless computing, specifically functions-as-a-service offerings – AWS Lambda, Azure Functions, Google Cloud Functions and IBM Cloud Functions – present an easy way to reach critical mass: auto-scaling.
I think I'm a clone now
Serverless functions provide distribution through self-replication. They can clone themselves on demand, allowing an attacker to turn one vulnerable hosted function into potentially thousands of compute instances simply by making repeated requests to the function.
"One vulnerability is enough," says PureSec in a report scheduled for public release on Tuesday. "Attackers only need to find a single vulnerable serverless function and abuse the inherent auto-scaling nature of the serverless platform in order to mimic the work of hundreds to thousands of machines working in parallel."
Auto-scaling is not a bug but a feature, one that magnifies the potential impact of bugs that do exist. And while serverless functions improve security in some ways – platform providers tend to keep servers up-to-date and patched – they can still include common application-level flaws like vulnerability to cross-site scripting or SQL injection. And then there's the issue of bugs in required libraries.
What's more, the focused nature of this particular attack vector – a single account – makes it more difficult to detect than, say, a sprawling botnet that includes millions of machines.
The risk for victims, beyond the usual remediation headaches, is a massive bill from spinning up thousands of servers – AWS Lambda, for example, has a concurrent execution limit of 1,000 by default.
PureSec, keen to pitch its code as a cure for this ill, suggests the bill for victims could reach US$120,000 per month. Cost-conscious cloud customers, however, are likely at least to have set up billing alerts to send word when costs skyrocket.
It should also be possible to shut down cloud computing resources programmatically once expenses reach a specified point, but none of the major cloud providers appear to offer this out of the box – it appears they'd rather not make it too easy for customers to limit spending. ®