At a glance.
- Denonia malware hits AWS Lambda.
- Tax season identity theft.
- Reaction to the Cash App breach.
- Update on the Mailchimp incident.
New malware targets AWS Lambda.
The researchers at Cado Security announced yesterday they’ve discovered a new malware, dubbed Denonia, developed to specifically target Amazon Web Service (AWS) Lambda environments. Denonia appears to be the first malware specifically targeting Lambda, which is described by AWS as a “serverless, event-driven compute service that lets you run code for virtually any type of application or backend service without provisioning or managing servers.” SecurityWeek notes that while AWS is responsible for securing the underlying Lambda execution environment, customers must take extra action to secure the service’s functions, and failure to do so makes Lambda vulnerable to attack.
Denonia is currently being used for cryptocurrency mining, specifically of Monero (XMR), using a custom version of the popular XMRig mining software, but researchers are uncertain about how exactly the malware is being deployed. Cado explained, “It may simply be a matter of compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments, as we’ve seen before with more simple Python scripts.” Computer Weekly adds that Denonia is coded in the Go programming language, increasingly popular with malware developers due to the fact that it’s difficult for whitehats to analyze. Though Denonia is not yet widely distributed and has only limited capabilities, its discovery indicates that threat actors have set their sights on target cloud infrastructure.
Avi Shua, co-founder and CEO of Orca Security, sees a security issue for serverless environments:
“The discovery of the first known Denonia malware targeting AWS Lambda shows an emerging issue for organizations to protect their serverless systems and rapidly growing cloud estates. However, the core problem is not new. It emphasizes how traditional security approaches, using agents, weren’t designed for the cloud where workloads can run without any compute instances and don’t have the full visibility to identify issues like malware.
"An Orca Security research study on AWS Lambda and the secrets it uses, also found that almost 30% of Lambda functions contain secrets in their environment variables. These secrets can be keys, authorization tokens, passwords and everything that should be kept private. If stolen through malware, these secrets can also be used to access other connected areas like S3 buckets to reach PII and other crown jewel data.”
No taxation without identity theft operations.
US tax season is upon us, and with it comes the usual wave of scammers focused on nabbing the sensitive data contained in tax documents in order to conduct identity fraud.
The researchers at Abnormal Security have discovered a phishing operation in which threat actors sent over one hundred thirty emails posing as potential clients looking to employ the services of Certified Public Accountants. After establishing initial contact, the attackers sent a follow-up email containing what appeared to be an innocent PDF file of tax documents, but was actually a mega[.]nz file share link to Sorillus, a remote access tool (RAT) that offers obfuscation and encryption capabilities and collects the target’s hardware ID, username, language, webcam, and OS, and other system info.
Cyren threat researchers have detected two spikes in phishing URLs related to the IRS, resulting in a total of 13,295 active tax scam URLs in March. This is a common tactic in which cybercriminals create malicious links using shortened URLs of familiar legitimate platforms like LinkedIn. In this case, the malicious sites’ web server was hosted on Microsoft’s cloud, clever as most businesses and Internet Service Providers will not block traffic to cloud hosting providers Microsoft, Google, or Amazon. In one case, the URLs were being used in phishing operations targeting businesses, with the email bodies personalized to the company in question and referencing IRS Form K-1, and the URL was embedded in an email attachment in order to better avoid detection. Another operation was more similar to the infamous Nigerian Prince and Iraqi Lottery scams, and the links led potential victims to various credential harvesting webforms made to look like legitimate IRS sites.
The US Internal Revenue Service has published an info page warning of the scams that tend to crop up at tax time and offering a convenient primer on the various methods threat actors might use. In addition to operations like the ones above targeting taxpayers and tax professionals, identity thieves have also been known to hit human resources or payroll officers, or pose as representatives of the Taxpayer Advocacy Panel, a volunteer board that advises the IRS on systemic issues impacting taxpayers. The warning emphasizes the fact that the IRS would never request sensitive taxpayer info via email, text, or social media channels, and urges victims to report any scams they encounter.
Industry reaction to the Cash App breach.
Lamar Bailey, senior director of security research at Tripwire, wrote that, despite all the attention one might think it's received, insider threats still aren't being addressed seriously: “Insider threats are a risk that does not get enough attention. Disgruntled or negligent employees can have a big impact on security. Organizations must limit access to what is specifically necessary for the role, put in audits for access, and tools to limit data leakage. If the data is important to you, it is important to an attacker too.”
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, urges a focus on prevention of data theft:
“The data breach incident that Block disclosed about a former employee who downloaded highly sensitive customer information accentuates the threat posed by the “inside job.” We often focus on threat actors working on the outside of our perimeters trying to get into the enterprise environment and thereby compromise data, but people on the inside have a leg up because usually they have some access to the internal network environment and IT resources.
"What we learn from such incidents is that our focus should be on protecting the data itself. Consider more data-centric methods of protection such as tokenization or format-preserving encryption, which obfuscate sensitive (and valuable) information no matter who has access to it. Businesses should also adopt security stances like Zero Trust, which denies implicit trust to users, devices, and other entities regardless of their location within the network. Don’t trust and always verify!”
Further comment on the Mailchimp breach.
According to Ric Longenecker, CISO at Open Systems, the incident at Mailchimp shows the complexity and scope of the social engineering threat:
"This latest hack into Mailchimp serves as yet another reminder of social engineering's outsize role in cyberattacks and data breaches.
"From early indications, human error and manipulation by outside actors was all it took for bad actors to gain access to Mailchimp's systems by compromising employee accounts. While companies should stress the importance of two-factor authentication to users, there must also organizational vigilance and processes to harden defenses against phishing attacks.
"For instance, organizations should advise users to adopt a best practice of contacting their suppliers directly when they receive an account reset notification, rather than using links embedded in an email.
"Organizations must also monitor their complete risk landscape and deploy solutions that offer high fidelity threat detection through a combination of human monitoring and ML-based detection."