A new research, led by the Israeli cybersecurity firm, PureSec, titled, “New Attack Vector: Serverless Crypto-Mining” found that one can generate several crypto scripts within serverless apps.
In particular, the report suggests that such apps have the ability to open doors for crypto-jackers, as they can sneakily mine cryptos by stealing power from the rightful owner, without them ever acknowledging it.
According to the PureSec researchers, they were able to get hold of an “off-the-shelf” crypto-mining script without influencing the operations of the app. Furthermore, they were allegedly capable of scaling the code, which simply means that they were able to use the power until it reached its maximum. Unfortunately, the victim in such cases will not know what’s going on until they are given their bills.
In the meantime, PureSec has yet to disclose who it managed to attack, however, we have been told that they attempted and successfully did so to three serverless hosting providers.
Co-founder and CTO of PureSec, Ory Segal, stated, “Serverless applications are a crypto-jacker’s dream,” and went on saying, “The same strengths and benefits that make serverless ideal for many software companies also attract malicious actors… serverless brings new security challenged.”
Shaked Zin, who shares the same role as Segal, also stated that due to the fact that serverless is still in its infancy stages, particularly to companies, many are “struggling to learn how to protect their applications from attacks.”
This report has clearly peeled yet another layer of security complexity that requires attention. The fact that serverless applications, which have been preferred by many, also has flaws that need fixing, is definitely exciting. Will PureSec’s research help develop a thorough solution in the near future?
For details regarding the PureSec report, go to: puresec.io/serverless-crypto-mining-resource-download