Today we are releasing a report which details how hackers can now turn a single vulnerable serverless function into a virtual crypto-mining farm by taking advantage of the scaleable nature of serverless architectures.
By exploiting the auto-scaling capabilities of serverless, a single attack could hijack serverless resources in order to run hundreds to thousands instances of popular tools that mine cryptocurrencies such as Bitcoin, Ethereum and Monero.
In a research we conducted we were able to force serverless functions, which were vulnerable to remote code execution, to download an off-the-shelf crypto-miner during function execution. The miner performed its crypto-mining computations in parallel to the application’s normal execution tasks, making the hijack invisible to the end user. The targeted company might only discover the issue when they get a monthly serverless bill of tens or even hundreds of thousands of dollars.
Significantly, during a simulated attack, we also caused the serverless platforms to scale, running the same function repeatedly until they reached the platform's limit for concurrent operations. We effectively turned one single vulnerable function into a virtual crypto-mining farm.
We tested the attack successfully on three leading public-cloud serverless platforms. It is important to stress that this is not a flaw in the platforms, but a result of the auto-scaling nature of serverless architectures and vulnerable application code.
All the details are revealed in our report, "Serverles; the Next Frontier for Covert Crypto-Miners " are published. The report highlights that serverless applications are ideal territory for crypto-mining attacks and are often poorly-protected. To see the full report click here.