Serverless Infections: Malware Just Found a New Home presented at BSidesLasVegas 2018

by Maty Siman,

Summary : We are seeing more and more organizations leverage the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.The Checkmarx Research Team took on the challenge of implementing the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as the first test subject, we were able to build a PoC which showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome? The findings will be presented in our session along with best practices and tips to ensuring security prevails in a serverless environment.