Serverless Execution (T1648)
Serverless Execution [T1648]
Last updated
Serverless Execution [T1648]
Last updated
Name: Serverless Execution
ID: T1648
Tactics:
Serverless Execution is recognized in the MITRE ATT&CK framework as a technique (T1648) under the Execution tactic. Attackers exploit cloud-based serverless computing resources to execute malicious code without the need for managing traditional server infrastructure. Leveraging serverless platforms such as AWS Lambda, Azure Functions, or Google Cloud Functions, adversaries can run malicious workloads, evade traditional detection mechanisms, and obscure attribution due to the ephemeral and dynamic nature of serverless environments.
Serverless Execution involves utilizing cloud computing platforms that dynamically allocate resources to execute code snippets or functions without explicit provisioning or management of underlying infrastructure.
Technical details include:
Serverless Platforms:
AWS Lambda
Azure Functions
Google Cloud Functions
IBM Cloud Functions (Apache OpenWhisk)
Execution Methods:
Triggering malicious functions via HTTP requests, API calls, or event-driven triggers.
Embedding malicious payloads within legitimate serverless applications.
Exploiting misconfigured permissions or IAM roles to deploy unauthorized functions.
Mechanisms:
Attackers typically package malicious code in supported languages (Python, Node.js, Java, C#, Go) and deploy it as serverless functions.
Functions can be triggered through various events, such as file uploads, database changes, scheduled events, or API endpoints.
Ephemeral nature of serverless environments complicates forensic analysis, as execution environments are temporary and logs may be limited or transient.
Real-world Procedures:
Attackers have utilized compromised cloud credentials or API keys to deploy malicious serverless functions.
Functions are often used to exfiltrate sensitive data, establish command-and-control channels, execute cryptomining tasks, or perform lateral movement within cloud environments.
Adversaries may exploit overly permissive IAM policies or misconfigured cloud resources to escalate privileges and deploy malicious functions undetected.
Serverless Execution can appear in various attack scenarios and stages, including:
Initial Access:
Leveraging compromised credentials or API keys to deploy malicious serverless functions.
Execution Stage:
Running malicious code directly within cloud environments without traditional infrastructure.
Persistence:
Creating scheduled serverless functions to maintain continuous presence and re-establish access.
Defense Evasion:
Utilizing ephemeral and transient execution environments to evade traditional detection mechanisms.
Command and Control (C2):
Establishing covert communication channels via serverless functions triggered by legitimate cloud events.
Data Exfiltration:
Using serverless functions to extract sensitive data from cloud storage or databases to external attacker-controlled endpoints.
Resource Hijacking:
Deploying serverless functions for cryptomining or other resource-intensive tasks, exploiting cloud provider resources.
Detection of Serverless Execution involves monitoring cloud environments for suspicious activities and implementing specific security measures, including:
Cloud Provider Logs and Monitoring:
AWS CloudTrail, Azure Monitor, Google Cloud Audit Logs for detecting unauthorized function deployments or executions.
Monitoring for unusual spikes in function invocations, resource usage, or billing anomalies.
Behavioral Analytics and Anomaly Detection:
Machine learning-based anomaly detection systems identifying abnormal patterns of serverless function usage.
Monitoring for unexpected geographic locations or IP addresses initiating serverless function deployments or executions.
IAM and Permissions Auditing:
Continuous auditing of IAM roles, policies, and permissions to detect overly permissive or unauthorized access.
Alerting on attempts to escalate privileges or unauthorized deployment of new serverless resources.
Network Traffic Analysis:
Analyzing outbound network traffic from serverless functions for unusual destinations or data transfer patterns indicative of data exfiltration or command-and-control activities.
Indicators of Compromise (IoCs):
Unusual serverless function names or descriptions.
Unexpected or unauthorized function deployments.
Suspicious API calls or unauthorized use of cloud provider APIs.
Unusual invocation patterns, timing, or triggers.
Unrecognized IP addresses or geographic locations associated with function deployments or executions.
Presence of unknown or unauthorized code repositories linked to serverless functions.
Early detection of Serverless Execution is crucial due to the following potential impacts on systems and networks:
Data Breach and Exfiltration:
Attackers can use serverless functions to silently exfiltrate sensitive data, leading to severe financial and reputational damage.
Resource Abuse and Financial Loss:
Unauthorized serverless functions can incur significant cloud resource consumption and financial costs through cryptomining or resource-intensive tasks.
Persistence and Difficulty in Remediation:
Serverless functions can serve as persistent backdoors or covert command-and-control channels, complicating remediation efforts.
Evasion of Traditional Detection Mechanisms:
The ephemeral nature of serverless environments may bypass traditional endpoint or infrastructure-based security controls, increasing detection complexity.
Compliance and Regulatory Risks:
Undetected malicious activities within serverless environments may lead to regulatory non-compliance, fines, and legal consequences.
Lateral Movement and Escalation:
Serverless functions may facilitate lateral movement within cloud environments, escalating privileges, and compromising additional resources.
Therefore, early detection and continuous monitoring of serverless execution activities are essential for maintaining cloud security posture and preventing significant damage.
Real-world examples involving Serverless Execution include:
Denonia Malware (2022):
Attack Scenario:
Attackers deployed Denonia malware specifically targeting AWS Lambda serverless environments.
Malicious functions were designed to perform cryptomining operations.
Tools Used:
Denonia malware written in Go, specifically engineered to run in AWS Lambda environments.
Impact:
Unauthorized resource usage, increased cloud billing, potential compromise of sensitive data, and evasion of traditional detection mechanisms.
TeamTNT Cloud Attacks (2021-2022):
Attack Scenario:
TeamTNT exploited misconfigured cloud credentials and IAM policies to deploy malicious serverless functions.
Functions were utilized for cryptomining, lateral movement, and establishing persistent backdoors.
Tools Used:
Open-source cryptomining software (XMRig), AWS Lambda functions, malicious scripts, and compromised credentials.
Impact:
Significant financial loss due to unauthorized resource consumption, persistent access to cloud environments, and potential data exfiltration.
Proof-of-Concept Attacks (Security Research):
Attack Scenario:
Security researchers demonstrated attacks leveraging serverless functions for covert data exfiltration, command-and-control channels, and privilege escalation.
Tools Used:
Custom-developed malicious serverless functions, cloud provider APIs, and IAM misconfigurations.
Impact:
Highlighted potential vulnerabilities and risks associated with serverless computing, prompting increased awareness and improved security practices.
These examples emphasize the importance of robust security monitoring, IAM policy enforcement, and proactive threat detection to mitigate risks associated with Serverless Execution techniques.