|
Serverless Execution: Malicious code from Compromised Third Party Packages
AWS Specific Sub-Technique
Other sub-techniques of Serverless Execution (2)
| ID | Name |
|---|---|
| T1648.A001 | Invoking Lambda Function |
| T1648.A002 | Malicious code from Compromised Third Party Packages |
A prerequisite for this technique is that a threat actor has already gained the ability to modify deployment packages for serverless functions, either through inappropriately accessed CI/CD pipelines, poisoned dependencies, or direct access to function code.
Use of compromised third-party software can introduce malicious code through compromised third-party packages or dependencies. This can occur when AWS Lambda functions include external dependencies that have been compromised, or when package managers are configured to pull from untrusted sources. Once executed, the malicious code runs with the permissions assigned to the function's execution role, potentially resulting in unauthorized activity.
Use of compromised third-party software can introduce malicious code through compromised third-party packages or dependencies. This can occur when AWS Lambda functions include external dependencies that have been compromised, or when package managers are configured to pull from untrusted sources. Once executed, the malicious code runs with the permissions assigned to the function's execution role, potentially resulting in unauthorized activity.
Detection
When this technique is used by the threat actor, actions taken by the threat actor using the credentials obtained will be logged in CloudTrail. You can use the Event history page in the AWS CloudTrail console to view the last 90 days of management events in an AWS Region.
Additionally, GuardDuty Lambda Protection can be used to identify potential security threats when an AWS Lambda function gets invoked in your AWS environment. For more information, see the GuardDuty Lambda Protection finding types.
A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.
Additionally, GuardDuty Lambda Protection can be used to identify potential security threats when an AWS Lambda function gets invoked in your AWS environment. For more information, see the GuardDuty Lambda Protection finding types.
A separate CloudTrail trail will give you an ongoing record of events in your AWS account past 90 days and can be configured to log events in multiple regions. You can also review events using the console as well as the AWS CLI.
Mitigation
Audit dependencies by removing or upgrading any potentially compromised packages from AWS Lambda function deployment packages. Rotate all Lambda execution role credentials, AWS credentials stored in environment variables, and any secrets stored in AWS Secrets Manager or Systems Manager Parameter Store that were accessible to affected functions. For in-depth mitigation recommendations, see the AWS Security Blog on Defending against Supply Chain Attacks.
You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.
You can also use IAM Access Analyzer to regularly review and verify access and manage permissions across your AWS environment, which will highlight AWS identities with excessive permissions and the actions performed by those identities.