Security researchers at PureSec have discovered an attack method that enables hackers to mine cryptocurrency in hijacked serverless computing environments.
The attack has yet to be discovered in the wild, but the proof-of-concept executed by PureSec should be enough to give anyone using serverless computing in the cloud cause for concern: A successful attack would leave an affected organization with a massive bill for all the resources used by the crypto hijacker.
All an attacker requires to start mining cryptocurrency in a serverless environment is a single vulnerable serverless function. If the attacker can use remote code to gain access to one function, researchers found, they could scale the attack up to eat all available resources.
Serverless cryptomining can also be done under the radar, meaning that the victim would be unaware that their serverless environment was affected until the bill comes at the end of the month.
How an attacker can steal serverless functions for cryptomining
The team from PureSec said that it was able to exploit serverless functions from three leading cloud providers (the report doesn’t specify which ones), tricking them via remote code execution into downloading off-the-shelf cryptomining software during function execution, install it, and run it alongside the function’s normal tasks.
Serverless environments are designed to scale based on computing needs, but there’s no way for those environments to tell what’s a legitimate need and what’s being performed for a hijacker. By exploiting the autoscaling nature of serverless computers the PureSec team was able to force the cryptomining function to scale until the instance reached its computing power limit.
«The team managed to abuse a single vulnerable serverless function and by harnessing the auto-scaling nature of serverless platforms, to turn the single function into a ‘virtual crypto-mining farm’ capable of producing meaningful cryptomining results that are cost effective for the attacker,» PureSec said.
SEE: Cloud computing policy (Tech Pro Research)
PurSec cites two reasons why the likelihood of a serverless cryptomining hijack in the wild is high: It’s easy to accomplish and it’s nearly impossible to protect against using conventional cybersecurity means.
«Many serverless consumers are still struggling with application security of their serverless functions. This allows attackers to perform crypto-mining activities under the radar, without being spotted,» PureSec said. Traditional server-level security tools are irrelevant for serverless environments, meaning some other solution is needed to protect them against such attacks.
How to protect serverless environments against hijack
If you’re looking for a simple solution to serverless computing hijack you’re out of luck—It’s not easy to mitigate. PureSec said that the only current way to mitigate the attack is by using a Serverless Security Runtime Environment (SSRE), which PureSec happens to sell.
Other SSRE solutions are available as well, and the conclusion to take away is clear: Custom-built serverless computing security suites are necessary, and if you’re not running one you should highly consider it—unless you want to open that serverless bill in a cold sweat every month.
The big takeaways for tech leaders:
- A recently discovered serverless computing vulnerability could allow an attacker to max out your cloud resources mining cryptocurrency by hijacking a single function.
- While not yet seen in the wild, this exploit could appear soon since it has the potential to be incredibly lucrative for hackers. Protect your serverless environments with security tools made for that purpose now.