Security researchers demonstrate that serverless apps can be converted into virtual crypto-mining farms by hackers
Tel Aviv, June 5, 2018 – PureSec, serverless security pioneers and maker of the world’s leading Serverless Security Runtime Environment (SSRE), today released a report which details how hackers can now turn a single vulnerable serverless function into a virtual crypto-mining farm by taking advantage of the scalable nature of serverless architectures.
By exploiting the auto-scaling capabilities of serverless*, a single attack could hijack serverless resources in order to run hundreds to thousands of instances of popular tools that mine cryptocurrencies such as Bitcoin, Ethereum and Monero.
Researchers from leading serverless security company PureSec were able to force serverless functions, which were vulnerable to remote code execution, to download an off-the-shelf crypto-miner during function execution. The miner performed its crypto-mining computations in parallel to the application’s normal execution tasks, making the hijack invisible to the end user. The targeted company might only discover the issue when they get a monthly serverless bill of tens or even hundreds of thousands of dollars.
Significantly, during a simulated attack, the PureSec team also caused the serverless platforms to scale, running the same function repeatedly until they reached the platform’s limit for concurrent operations. The PureSec team effectively turned one single vulnerable function into a virtual crypto-mining farm.
The details were revealed in a report published by PureSec today. The report highlights that serverless applications are ideal territory for crypto-mining attacks and are often poorly-protected.
The researchers tested the attack successfully on three leading public-cloud serverless platforms. PureSec stressed that this is not a flaw in the platforms, but a result of the auto-scaling nature of serverless architectures and vulnerable application code.
“Serverless applications are a crypto-jackers dream,” said Ory Segal, PureSec co-founder and CTO. “They scale automatically, and a hacker can easily turn a single vulnerable function into a virtual crypto-mining farm almost instantly. The same strengths and benefits that make serverless ideal for many software companies also attract malicious actors. Like any new technology, serverless brings new security challenges.”
“Because serverless architectures are so new, companies are still struggling to learn how to protect their applications from attacks,” said Shaked Zin, PureSec co-founder, and CEO. “Traditional application security solutions have become irrelevant since the infrastructure is gone. We developed our Serverless Security Runtime Environment to defend against application-layer vulnerabilities like remote code execution which our research team used in this simulated attack. Crypto-mining attacks aren’t going away, so serverless users need to be prepared.”
You can download the complete report here.
*What is serverless?
Serverless is a new form of cloud computing. Instead of having to manage servers to run code, serverless lets developers upload functions’ code directly to the cloud. Whenever the function is triggered by an event, like opening a web-page or uploading a file, the cloud starts executing the function. If the function is triggered a hundred times, the cloud provider will run a hundred functions concurrently. This scalability means that a company is only paying for the computing time and resources they need, when they need them, without the costs or overheads of servers and without the need to manage any infrastructure.
As the global leader in serverless architecture security, PureSec enables its customers to build and maintain secure and reliable serverless applications. The company’s end-to-end serverless security solution is the industry’s first and most comprehensive Serverless Security Runtime Environment (SSRE).
To learn how PureSec solutions and its team of serverless security experts are helping businesses secure their serverless applications, please visit http://www.puresec.io and follow @PureSecTeam on Twitter.