Full Report
Understand the mechanics of serverless authentication: three simulated attacks across major CSPs offer effective approaches for application developers. The post Serverless Tokens in the Cloud: Exploitation and Detections appeared first on Unit 42.
Analysis Summary
# Tool/Technique: Misconfigured Serverless Function Exploitation (Cloud Function Abuse)
## Overview
This technique focuses on attackers exploiting vulnerabilities arising from insecure code deployment and misconfigurations within serverless computing environments (e.g., AWS Lambda, Azure Functions, Google Cloud Run/Functions). The primary goal is to gain access to and exfiltrate temporary, scoped authentication tokens associated with the function's cloud identity (IAM roles, service account tokens), leading to compromise of cloud resources.
## Technical Details
- Type: Technique (Targeting a specific vulnerability/misconfiguration class)
- Platform: Cloud Platforms supporting serverless functions (AWS, Azure, GCP)
- Capabilities: Credential exfiltration, privilege escalation, execution of arbitrary actions within the cloud environment using compromised identity, malicious persistence, data exfiltration.
- First Seen: N/A (This is a broad class of configuration/deployment vulnerabilities)
## MITRE ATT&CK Mapping
This activity primarily maps to capabilities involved after initial access or execution within the serverless runtime context:
- **TA0006 - Credential Access**
- T1552 - Unsecured Credentials
- T1552.006 - Cloud Instance Metadata Service API (Relevant when tokens are stored insecurely)
- **TA0004 - Privilege Escalation**
- T1068 - Exploitation for Privilege Escalation (If exploiting code vulnerabilities)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Exfiltrating stolen tokens or data accessed using stolen tokens)
## Functionality
### Core Capabilities
- Exploiting deployment flaws that expose environment variables or metadata services where authentication tokens reside.
- Leveraging coding errors within the serverless function logic to gain unauthorized execution paths.
- Obtaining temporary, short-lived access tokens tied to the function's execution role.
- Using the obtained token to interact with other cloud services (e.g., S3 buckets, databases).
### Advanced Features
- Abuse of the compromised functional identity for privilege escalation, potentially bypassing standard host-based security controls as the attack occurs entirely within the cloud control plane context.
- Establishing persistence by creating new functions or modifying execution roles/configurations using the abused credentials.
## Indicators of Compromise
(Note: As this is a technique summary rather than a specific piece of malware, IOCs are generally related to the post-exploitation activities or the exploit trigger, which vary widely.)
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Outbound connections from the serverless execution environment to cloud API endpoints (e.g., AWS STS, Azure Managed Identity endpoint, GCP IAM API) using the compromised credentials at unusual rates or for unusual operations. Defanged example: `api.aws.amazon.com`, `management.azure.com`.
- Behavioral Indicators: Function executing actions outside its normal defined scope (e.g., a file-processing Lambda attempting to modify IAM policies).
## Associated Threat Actors
Threat actors targeting cloud environments, including sophisticated groups focused on supply chain compromise, opportunistic attackers scanning for common misconfigurations, and Ransomware affiliates seeking cloud lateral movement.
## Detection Methods
- Signature-based detection: Unlikely, as the exploit relies on valid platform functionality.
- Behavioral detection: Monitoring cloud activity logs (CloudTrail, Azure Activity Log, GCP Audit Logs) for anomalous API calls made by service accounts/roles associated with serverless functions.
- YARA rules: N/A
## Mitigation Strategies
- **Secure Development:** Implement stringent code reviews and security testing for serverless functions, adhering to the principle of least privilege in function code logic.
- **Principle of Least Privilege:** Ensure IAM roles or service accounts granted to functions have the absolute minimum permissions necessary for execution (strict boundary enforcement).
- **Configuration Hardening:** Ensure functions are deployed without exposing sensitive environmental variables or metadata paths unnecessarily.
- **Token Security:** If tokens must be accessed manually by developers, ensure they are retrieved securely and never hardcoded. Utilize managed identity services where possible to avoid explicit credential handling.
- **Monitoring:** Implement comprehensive logging and alerting on abnormal cross-service calls originating from serverless execution contexts.
## Related Tools/Techniques
- **Cloud Metadata Service Abuse:** Directly related to exploiting how platforms expose environment tokens (often covered by T1552.006).
- **Serverless Framework Exploitation:** Utilizing frameworks like the Serverless Framework if deployment configuration files are insecurely managed.
- **Cloud Hopper/Cloud Snooper:** General terms for actors specializing in cloud credential harvesting.