Serverless computing presents new security challenges for cloud providers. Attackers may take advantage of weak serverless security configurations and compromised credentials for cryptomining or unauthorized access.
They are adapting their tactics to leverage serverless functions for malware distribution, making it harder for network defenders to detect.
Cloud security professionals need to prioritize strong authentication, proper serverless security configurations, and continuous monitoring for suspicious activity to mitigate these threats.
Google Cloud’s security report analyzed initial access vectors for cloud environment breaches, as misconfigurations were the second most common cause, after weak or missing credentials.
Misconfigured service account keys with excessive permissions were a common example. Serverless architectures can mitigate this risk by reducing manual configuration overhead, while cryptomining remained the primary motive behind cloud intrusions in the first half of 2024.
Mandiant’s incident response and proactive engagements identified several security risks in serverless architectures, including hardcoded secrets and insecure development practices that can expose sensitive data.
Attackers can also exploit serverless functions for malicious purposes. Misconfigured backend services can further weaken the security posture, and to ensure a secure serverless environment, organizations should prioritize robust security measures from the beginning.
Storing secrets like API keys and database credentials directly in serverless function code or environment variables is risky. Exposed code or compromised environments can leak these secrets.
Even if the leak is fixed, version control history can expose it. Hardcoded secrets also make it difficult to rotate credentials regularly, which is crucial to limit damage from a compromise.
Serverless functions, while offering a smaller attack surface due to a lack of persistent infrastructure, introduce their own security challenges. Exploitable vulnerabilities in the code can allow attackers to move laterally within the cloud environment, potentially compromising sensitive data.
BaaS misconfigurations further amplify these risks. Publicly exposed or insecure APIs grant unauthorized access, while misconfigured access controls and storage settings can lead to data breaches.
Threat actors are abusing serverless cloud services, like Google Cloud Run and Cloud Functions, to distribute malware and host phishing pages by leveraging compromised accounts or creating their own projects to deploy malicious URLs on legitimate Google Cloud domains.
These URLs redirect users to phishing sites or malware payloads. Security teams can detect and block this abuse by updating security signatures, blacklisting malicious URLs, and disabling compromised projects.
FLUXROOT, a financially motivated cybercriminal group, leveraged Google Cloud serverless projects to host phishing pages designed to steal credentials for a major Latin American online payment platform.
The phishing pages were likely hosted on Google Cloud Container URLs to evade detection. Upon discovery, Google Cloud Trust & Safety suspended the malicious projects and updated their detection systems.
.webp?w=1200&resize=1200,0&ssl=1&description=They are adapting their tactics to leverage serverless functions for malware distribution, making it harder for network defenders to detect. ){kind=link}