Analysis of 700,000 real-world attacks shows how memory attacks evade protections and suggest mitigations.
Threat actors are honing their focus on exploits that evade detection and remain unnoticed within systems, according to Aqua Security’s 2023 Cloud Native Threat Report, which examined memory attacks in networks and software supply chains.
The cloud native security firm’s research arm, Nautilus, noted a 1,400% increase in memory attacks versus what the company reported in its 2022 study. According to Aqua Security, Nautilus analyzed 700,000 attacks over the six-month study period on its global network of honeypots.
The Nautilus team reported that more than 50% of attacks focused on defense evasion and included masquerading techniques such as files executed from /tmp, a location used to store temporary files. The attacks also involved obfuscated files or information, such as dynamic loading of code, which loads libraries – malicious in this case – into memory at runtime, leaving no suspicious digital trail.
Assaf Morag, lead threat intelligence researcher for Aqua Nautilus, said the group’s discovery of HeadCrab, a Redis-based malware that compromised more than 1,200 servers, shone a light on how memory attacks were evading agentless solutions, which monitor, patch and scan systems remotely. This is because, unlike agent-based systems, they are not installed on client machines, Morag explained.
“When it comes to runtime security, only agent-based scanning can detect attacks like these that are designed to evade volume-based scanning technologies, and they are critical as evasion techniques continue to evolve,” he said.
What are memory attacks?
Memory attacks (aka living-off-the-land or fileless attacks) exploit software, apps and protocols extant within the target system to perform malicious activities. As Jen Osborn, deputy director of threat intel at Palo Alto Networks Unit 42, explained, memory attacks are hard to track because they leave no digital trail.
- Memory attacks don’t require an attacker to place code or scripts on a system.
- Memory attacks are not written to a disk and instead use tools like PowerShell, Windows Management Instrumentation or even the password-saving tool Mimikatz to attack.
“They’re [launching memory exploits] because they are much harder to both detect and to find later, because a lot of times, they aren’t kept in logs,” Osborn said.
SEE: Palo Alto Networks’ Prisma Cloud CTO Ory Segal discusses code to cloud security (TechRepublic)
In a 2018 blog, Josh Fu, currently director of product marketing at endpoint management software company Tanium, explained that memory attacks aim to feed instructions into, or extract data from, RAM or ROM. In contrast to attacks that focus on disk file directories or registry keys, memory attacks are hard to detect, even by antivirus software.
Fu noted that memory attacks typically operate as follows:
- First, a script or file gets onto the endpoint. It evades detection because it looks like a set of instructions, instead of having typical file features.
- Those instructions then get loaded into the machine.
- Once they execute, attackers use the system’s own tools and resources to carry out the attack.
Fu wrote that defenders could help prevent and mitigate memory attacks by:
- Staying up to date on patching.
- Restricting usage of macros in documents.
- Studying this paper on how attackers use Mimikatz to extract passwords.
Cloud software supply chain vulnerabilities uncovered
The Aqua Nautilus report, which also looked at cloud software supply chain risks including misconfigurations, observed that actors are exploiting software packages and using them as attack vectors. For example, they discovered a logical flaw they called “package planning” that allows attackers to disguise malicious packages as legitimate code.
In addition, the researchers reported a vulnerability in all Node.js versions that could allow the embedding of malicious code into packages, resulting in privilege escalation and malware persistence in Windows environments.
The firm reported that the top 10 vulnerabilities identified across its global network in 2022 (excluding Log4Shell, which was overwhelmingly high compared to the rest) were mostly related to the ability to conduct remote code execution. “This reinforces the idea that attackers are looking for initial access and to run malicious code on remote systems,” said the authors (Figure A).
Protection of the runtime environment is critical
Memory attacks exploiting workloads in runtime, where code executes, are becoming an increasingly popular target for threat actors looking to steal data or disrupt business operations, according to the report.
The authors said addressing vulnerabilities and misconfigurations in source code is important because:
- It can take time to prioritize and fix known vulnerabilities, which can leave runtime environments exposed.
- Security practitioners may be unaware of or miss supply chain attack vectors, creating a direct and uncontrolled link to production environments.
- Critical production configurations may still be overlooked in high-velocity, complex and multi-vendor cloud environments.
- Zero-day vulnerabilities are likely, making it essential to have a monitoring system in place for malicious events in production.
The study’s authors also said that merely scanning for known malicious files and network communications and then blocking them and alerting security teams wasn’t enough. Enterprises should also monitor for indicators of malicious behavior, such as unauthorized attempts to access sensitive data, attempts to hide processes while elevating privileges and the opening of backdoors to unknown IP addresses.