Unauthorized overwrite of Lambda function code

Attack technique

Technique name: Unauthorized overwrite of Lambda Function Code

MITRE ATT&CK:

• Tactic: Privilege Escalation, Persistence
• Technique: Event Triggered Execution

Technique description:
Lambda, Amazon's widely adopted event-driven and serverless compute service, empowers developers to execute code efficiently without the burden of infrastructure management, resulting in scalable and cost-effective applications. However, this very convenience also renders it an appealing target for threat actors seeking to escalate their access within an AWS environment. Unauthorized access, such as through leaked access keys, may provide these actors with the means to exploit Lambda's capabilities. Assuming they possess the necessary permissions, they can manipulate the code of a Lambda function to achieve various malicious objectives, including establishing persistence, gaining command and control capabilities, and exfiltrating sensitive data from vital AWS services like S3 and RDS.

Insights from threat intelligence:
This technique has been mentioned a few times in the wild, with the main attack vector being compromised IAM credentials leading to unauthorized access to a lambda function, followed by its modification.

A few reports indicate threat actors install malicious payloads using the UpdateFunctionCode* API, for example for mining activities, abusing the victim’s AWS resources. The activity is done from the attacker’s IP, which diverges from IPs involved in benign activity seen in the environment. According to the Cado Labs research report, Denonia malware is the first of its kind designed specifically to target the AWS Lambda environment. The malware, first seen in the wild in 2022, is written in Go and contains a customised variant of the XMRig mining software. However, AWS customers have been reporting on mining activities performed by leveraging compromised Lambda functions in their environments since 2021, resulting in a significant increase in charges on their accounts.

References:

• Cado Discovers Denonia: The First Malware Specifically Targeting Lambda - Cado Security | Cloud Forensics & Incident Response
• Jonny Plat Twitter
• AWS Samples Github
• Overwrite Lambda Function Code - Stratus Red Team
• Backdooring an AWS account
• Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident | Wiz Blog

Threat hunting theses breakdown

Unauthorized overwrite of Lambda function code

Relevant data sources:
AWS Cloudtrail

Thesis explanation:
An IAM user with write access to a Lambda function may be compromised and used from an attacker-controlled machine, to achieve persistence or exfiltrate data from resources the Lambda execution role has access to, by modifying the Lambda function’s code.

Blind spots:
To identify unauthorized access, we focused on IP addresses and identities that are not usually interacting with Lambda functions of the organization. In case a threat actor operates using a role that modifies a function on a regular basis, or operates from an organizational IP, it will be missed by this hunting thesis.

Recommended investigation flow:
To identify potential threats related to credential theft, which is the main attack vector leading to unauthorized Lambda code modification, the following investigation approach is recoommended:

• Enrich the originating IP with valuable investigation context. Analyze the IP addresses recorded in the CloudTrail's SOURCE_IP_ADDRESS field and enrich this data with geolocation information. This will enable detecting any anomalous activity originating from unexpected locations.
• Focus on IAM users with long-term credentials and no MFA enabled. Prioritize investigations on IAM users who possess long-term credentials without Multi-Factor Authentication enabled. These accounts have a higher likelihood of being compromised through leaked credentials.

Once these characteristics are identified, look out for the following suspicious scenarios:

• Any instance where an identity operates from a country they have not accessed AWS from before.
• Any instance where an identity operates from a new Autonomous System Number (ASN).
• Any instance where an identity modifies a lambda function for the first time.
• Any instance where an identity uses a new user agent seen for the first time.
• Access denied error codes that may indicate unauthorized activity.

Hunting queries

https://gist.github.com/axon-git/940536de1d0aabca1d0997b33a80dfa5