Crypto-jacking threats have largely (but not exclusively) been confined to the browser. Worryingly, new research from Israeli cybersecurity firm PureSec demonstrates how cryptocurrency mining scripts could be surreptitiously deployed within serverless applications.
The research was demonstrated in the company’s new report, called “New Attack Vector: Serverless Crypto-Mining.”
This type of attack has significant implications for companies who deploy serverless applications on platforms like AWS Lambda and Microsoft Azure, as it could result in an attacker establishing their own vast crypto-mining operation at their expense.
Researchers from PureSec were able to force serverless functions to automatically download an off-the-shelf crypto-mining script. This operated in parallel, and didn’t affect the ordinary execution of the application, allowing it to effectively steal computing power in stealth.
PureSec’s researchers also managed to get the serverless code to scale, launching several instances of the malicious code, until it reached the limitations of the platform.
This means an attacker could create a massive mining operation, and the victim would only find out when they received an exorbitant hosting bill in the mail.
PureSec tested its attack on three different serverless hosting providers – although it didn’t mention which ones. The company emphatically states that this isn’t an issue with the providers, but rather with the auto-scaling features at the heart of serverless technology.
“Serverless applications are a crypto-jackers’ dream,” explained Ory Segal, PureSec co-founder and CTO.
“They scale automatically, and a hacker can easily turn a single vulnerable function into a virtual crypto-mining farm almost instantly. The same strengths and benefits that make serverless ideal for many software companies also attract malicious actors. Like any new technology, serverless brings new security challenges.”
A huge problem with mitigating risks is that serverless computing is still relatively new. Nobody really has any long-term experience with it – especially when compared to traditional application hosting approaches.
This inexperience means that companies will struggle to identify and mitigate against attacks, explained Shaked Zin, PureSec co-founder and CEO.
“Because serverless architectures are so new, companies are still struggling to learn how to protect their applications from attacks,” he said.
You can read PureSec’s report here.