Serverless

Information

• Name: Serverless

• ID: T1584.007

• Tactics: TA0042

• Technique: T1584

Introduction

Serverless (T1584.007) is a sub-technique within the MITRE ATT&CK framework under the parent technique "Compromise Infrastructure (T1584)." It specifically refers to adversaries leveraging serverless computing environments, such as AWS Lambda, Azure Functions, or Google Cloud Functions, to execute malicious operations without the need to manage infrastructure directly. By exploiting these cloud-native, event-driven platforms, attackers can host malicious code, perform command-and-control (C2) operations, or automate tasks while benefiting from reduced visibility, increased scalability, and minimal maintenance overhead.

Deep Dive Into Technique

Serverless computing platforms allow users to execute code in response to events without explicitly managing server infrastructure. Attackers exploit these platforms due to their ephemeral nature, difficulty in monitoring, and built-in scalability. Technical details include:

• Execution Methods:

  • Deploying malicious code through compromised cloud service credentials or misconfigured permissions.

  • Utilizing automated CI/CD pipelines or stolen API keys to push malicious functions into legitimate cloud environments.

  • Triggering malicious serverless functions via webhooks, API calls, or cloud events.

• Mechanisms:

  • Serverless functions typically run in isolated containers or runtimes, offering attackers a layer of abstraction and stealth.

  • Attackers may leverage cloud-native event triggers (HTTP requests, database changes, message queues) to execute malicious payloads automatically.

  • Functions can be chained or orchestrated to form complex attack workflows, making detection and attribution challenging.

• Procedures:

  • Hosting command-and-control (C2) servers as ephemeral, serverless functions to evade traditional detection methods.

  • Automating data exfiltration by triggering functions upon specific events or schedules.

  • Using serverless functions as proxy layers to obfuscate traffic origins and complicate attribution.

When this Technique is Usually Used

Attackers can employ serverless techniques across various stages of an attack lifecycle, including:

• Initial Access and Persistence:

  • Deploying malicious payloads into compromised cloud accounts to establish persistent presence.

  • Creating backdoor functions triggered by legitimate cloud events to maintain stealthy access.

• Execution and Command-and-Control (C2):

  • Using serverless functions to execute malicious scripts or commands remotely, providing attackers with flexible control channels.

  • Hosting C2 infrastructure in ephemeral serverless environments to evade detection and attribution.

• Data Exfiltration:

  • Automatically triggering functions to export sensitive data from cloud storage, databases, or APIs.

  • Leveraging cloud-native functions to compress, encrypt, and transmit stolen data to attacker-controlled endpoints.

• Defense Evasion and Obfuscation:

  • Utilizing temporary, short-lived functions to avoid detection by traditional security monitoring tools.

  • Chaining multiple serverless functions across cloud providers and regions to complicate forensic analysis and attribution.

How this Technique is Usually Detected

Detection of malicious serverless activity requires specialized monitoring approaches due to its ephemeral and event-driven nature. Methods include:

• Cloud Infrastructure Monitoring:

  • Implementing cloud-native logging and monitoring tools (e.g., AWS CloudTrail, Azure Monitor, Google Cloud Audit Logging) to track function deployments, modifications, and executions.

  • Setting alerts for unusual or unauthorized deployments of serverless functions.

• Behavioral Analysis:

  • Monitoring for abnormal function execution patterns, such as sudden spikes in execution frequency, unusual invocation sources, or unexpected outbound network traffic.

  • Detecting changes in function runtime behavior or resource usage indicative of malicious activity.

• Identity and Access Management (IAM) Auditing:

  • Regularly auditing IAM policies and permissions to detect unauthorized or overly permissive access to serverless resources.

  • Identifying anomalous API calls or credential usage patterns that could indicate compromised cloud accounts.

• Network Traffic Analysis:

  • Analyzing outbound network traffic from serverless functions to detect suspicious destinations, unusual protocols, or data exfiltration attempts.

  • Implementing cloud-native network security solutions (e.g., AWS GuardDuty, Azure Security Center) to detect anomalies.

• Indicators of Compromise (IoCs):

  • Unrecognized or unauthorized serverless functions deployed in cloud accounts.

  • Functions with suspicious names, descriptions, or metadata.

  • Abnormal invocation patterns or unexpected resource consumption spikes.

  • Unusual outbound connections to known malicious IP addresses or domains.

Why it is Important to Detect This Technique

Early detection of malicious serverless activity is critical due to various potential impacts:

• Data Breaches and Exfiltration:

  • Attackers can automate sensitive data theft, leading to significant financial, operational, and reputational damage.

• Persistent and Stealthy Access:

  • Malicious serverless functions can provide attackers with persistent, stealthy footholds within cloud environments, complicating remediation efforts.

• Infrastructure Abuse:

  • Attackers may utilize victim cloud resources to launch further attacks, distribute malware, or conduct denial-of-service (DoS) operations, potentially implicating legitimate organizations.

• Financial Impact:

  • Unauthorized function executions can incur substantial costs due to increased resource consumption, leading to unexpected financial charges.

• Compliance and Regulatory Risks:

  • Undetected malicious activity can violate compliance standards (e.g., GDPR, HIPAA), resulting in legal penalties and regulatory scrutiny.

Detecting and mitigating this technique promptly helps prevent extensive damage, reduces remediation costs, and maintains organizational trust and compliance.

Examples

Real-world examples demonstrating the malicious use of serverless environments include:

• Denonia Malware (2022):

  • Malware specifically targeting AWS Lambda functions, leveraging compromised credentials to deploy cryptocurrency-mining payloads.

  • Attackers utilized stolen AWS credentials to deploy malicious Lambda functions, causing resource abuse and financial impact.

• TeamTNT Cloud Attacks (2021-2022):

  • TeamTNT attackers exploited misconfigured cloud environments, deploying malicious serverless functions to establish persistent backdoors and conduct cryptocurrency mining.

  • Utilized automated scripts to detect vulnerable cloud resources and deploy malicious functions across multiple cloud providers.

• Cado Security's Proof-of-Concept (2020):

  • Demonstrated successful deployment of malicious payloads within AWS Lambda functions, highlighting potential for stealthy data exfiltration and command-and-control operations.

  • Raised awareness of potential serverless attack vectors and the importance of monitoring cloud-native environments.

• Red Team Exercises and Penetration Tests:

  • Security researchers and penetration testers frequently demonstrate serverless abuse techniques, including automated data exfiltration, stealthy C2 channels, and privilege escalation in cloud environments.

  • These exercises underscore the importance of robust monitoring, IAM controls, and proactive threat detection in serverless environments.