Serverless
Serverless [T1583.007]
Last updated
Serverless [T1583.007]
Last updated
Name: Serverless
ID: T1583.007
Tactics:
Technique:
Serverless (T1583.007) is a sub-technique within the MITRE ATT&CK framework that describes adversaries leveraging serverless computing platforms to execute malicious code. Serverless computing allows developers to run code without explicitly managing servers, typically through cloud providers such as AWS Lambda, Azure Functions, or Google Cloud Functions. Attackers exploit these environments due to their scalability, ephemeral nature, and potential for reduced visibility, making them attractive platforms for executing malicious payloads, command-and-control (C2) operations, or persistence mechanisms.
Serverless computing platforms enable execution of code snippets or functions triggered by specific events without requiring the provisioning or maintenance of underlying infrastructure. Attackers may exploit these environments in several ways:
Malicious Function Deployment:
Attackers deploy malicious code as cloud functions, which can then be triggered by various events (HTTP requests, file uploads, database changes, scheduled tasks).
Code execution occurs in isolated containers, complicating detection and attribution.
Code Injection and Function Hijacking:
Attackers may compromise existing legitimate functions by injecting malicious code or modifying configuration settings.
Attackers leverage stolen cloud credentials or misconfigured IAM (Identity and Access Management) roles to gain access to serverless environments.
Command-and-Control (C2) Infrastructure:
Serverless functions can serve as lightweight, ephemeral C2 servers due to their inherent scalability and ease of deployment.
Functions can be quickly spun up, executed, and destroyed, leaving minimal forensic evidence.
Data Exfiltration:
Attackers utilize serverless functions to exfiltrate sensitive data from compromised cloud resources, leveraging cloud-native APIs and storage services.
Functions can be configured to trigger upon specific data storage events, automatically exfiltrating data to attacker-controlled destinations.
Technical characteristics exploited by attackers include:
Ephemeral nature of containers used by serverless functions, limiting forensic evidence.
Difficulty in traditional monitoring due to the transient nature and high volume of legitimate function invocations.
Complexity in managing and auditing IAM permissions, increasing the likelihood of misconfigurations that attackers exploit.
Attackers typically employ the Serverless (T1583.007) sub-technique in various attack stages and scenarios, including:
Initial Access and Execution:
Deploying malicious functions using compromised cloud credentials to establish initial foothold or execute initial payloads.
Persistence and Command-and-Control:
Establishing persistent backdoors within cloud environments by creating serverless functions triggered periodically or by specific events.
Using serverless functions as stealthy C2 channels due to their ephemeral and scalable nature.
Privilege Escalation and Lateral Movement:
Leveraging overly permissive IAM roles assigned to serverless functions to escalate privileges within cloud environments.
Utilizing compromised functions to pivot laterally to other cloud resources or services.
Data Exfiltration:
Automatically exfiltrating sensitive data using serverless functions triggered by cloud storage events or database updates.
Defense Evasion:
Exploiting the ephemeral and transient nature of serverless functions to evade traditional security monitoring and detection mechanisms.
Detection of malicious serverless function usage requires specialized monitoring and analysis techniques, including:
Cloud Provider Logging and Monitoring:
AWS CloudTrail, Azure Monitor, Google Cloud Audit Logs to detect suspicious function deployments, modifications, or deletions.
Monitoring API calls for unusual function creation, updates, or execution patterns.
Behavioral Analysis and Anomaly Detection:
Establishing baselines for normal serverless function usage patterns and detecting deviations, such as unusual invocation frequency, geographic origin, or resource consumption.
Identifying unexpected triggers or event sources for serverless functions.
IAM Configuration Auditing:
Regularly auditing IAM roles and permissions associated with serverless functions to detect overly permissive or anomalous privilege assignments.
Identifying suspicious IAM role assignments or policy changes.
Runtime Security Tools:
Deploying cloud-native security solutions or third-party tools specifically designed to monitor and secure serverless computing environments (e.g., Prisma Cloud, Aqua Security, Sysdig, Lacework).
Implementing runtime protection solutions that detect anomalous behavior at execution time.
Indicators of Compromise (IoCs) specific to serverless exploitation include:
Unusual serverless function creation or modification events.
Functions triggered by unexpected or unauthorized event sources.
Sudden spikes in function invocation frequencies or resource usage.
Data transfers to unknown or suspicious external endpoints.
Unexpected IAM policy changes or role escalations associated with serverless functions.
Early detection of malicious serverless function usage is crucial due to the following potential impacts and risks:
Data Loss and Exfiltration:
Attackers can rapidly exfiltrate sensitive data using automated, scalable serverless functions, leading to severe data breaches and compliance violations.
Persistence and Stealth:
Serverless functions provide attackers with a stealthy and scalable persistence mechanism that can remain undetected for extended periods, enabling prolonged compromise.
Financial Impact:
Unauthorized usage of cloud resources can significantly increase cloud service costs, leading to unexpected financial burdens.
Reputational Damage:
Undetected compromise of cloud environments and data breaches can severely damage organizational reputation and trust among customers and partners.
Difficulty in Attribution and Response:
The ephemeral nature of serverless functions complicates forensic investigations, making attribution and incident response challenging if detection is delayed.
Escalation and Lateral Movement:
Compromised serverless functions may serve as entry points for privilege escalation and lateral movement within cloud environments, amplifying the severity of a breach.
Real-world examples of Serverless (T1583.007) exploitation include:
Denonia Malware (2022):
Attack Scenario:
Attackers deployed malware specifically targeting AWS Lambda serverless environments.
Malware executed cryptomining operations within compromised Lambda functions.
Tools and Techniques:
Malware written in Go, specifically designed to execute within AWS Lambda runtime environments.
Leveraged compromised cloud credentials and IAM misconfigurations.
Impact:
Unauthorized resource usage and increased cloud costs.
Demonstrated vulnerabilities in serverless environments and highlighted potential for future attacks.
TeamTNT's Serverless Targeting (2021-2022):
Attack Scenario:
TeamTNT threat actor group targeted AWS Lambda functions to deploy cryptomining payloads and establish persistent footholds.
Tools and Techniques:
Exploited misconfigured IAM roles and cloud credentials leaked through insecure code repositories.
Utilized automated scripts and reconnaissance tools to identify vulnerable serverless environments.
Impact:
Significant financial impact due to unauthorized resource usage.
Highlighted the need for improved IAM security practices and monitoring.
Proof-of-Concept (PoC) Serverless C2 Frameworks:
Attack Scenario:
Security researchers demonstrated PoC frameworks leveraging serverless functions for stealthy command-and-control infrastructures.
Tools and Techniques:
Serverless functions deployed in AWS Lambda, Azure Functions, and Google Cloud Functions.
Leveraged HTTP triggers and cloud storage events to communicate with compromised endpoints.
Impact:
Demonstrated feasibility of stealthy, scalable C2 infrastructure utilizing cloud-native serverless services.
Highlighted potential future risks and necessity for improved detection methodologies.