Analysis of 700,000 real-world assaults reveals how reminiscence assaults evade protections and recommend mitigations.
Threat actors are honing their deal with exploits that evade detection and stay unnoticed inside techniques, in keeping with Aqua Security’s 2023 Cloud Native Threat Report, which examined reminiscence assaults in networks and software program provide chains.
The cloud native safety agency’s analysis arm, Nautilus, famous a 1,400% enhance in reminiscence assaults versus what the corporate reported in its 2022 examine. According to Aqua Security, Nautilus analyzed 700,000 assaults over the six-month examine interval on its international community of honeypots.
The Nautilus workforce reported that greater than 50% of assaults targeted on protection evasion and included masquerading strategies resembling information executed from /tmp, a location used to retailer short-term information. The assaults additionally concerned obfuscated information or data, resembling dynamic loading of code, which masses libraries – malicious on this case – into reminiscence at runtime, leaving no suspicious digital path.
Assaf Morag, lead menace intelligence researcher for Aqua Nautilus, mentioned the group’s discovery of HeadCrab, a Redis-based malware that compromised greater than 1,200 servers, shone a lightweight on how reminiscence assaults have been evading agentless options, which monitor, patch and scan techniques remotely. This is as a result of, in contrast to agent-based techniques, they don’t seem to be put in on shopper machines, Morag defined.
“When it comes to runtime security, only agent-based scanning can detect attacks like these that are designed to evade volume-based scanning technologies, and they are critical as evasion techniques continue to evolve,” he mentioned.
Jump to:
What are reminiscence assaults?
Memory assaults (aka living-off-the-land or fileless assaults) exploit software program, apps and protocols extant throughout the goal system to carry out malicious actions. As Jen Osborn, deputy director of menace intel at Palo Alto Networks Unit 42, defined, reminiscence assaults are exhausting to trace as a result of they go away no digital path.
- Memory assaults don’t require an attacker to put code or scripts on a system.
- Memory assaults aren’t written to a disk and as a substitute use instruments like PowerShell, Windows Management Instrumentation and even the password-saving device Mimikatz to assault.
“They’re [launching memory exploits] because they are much harder to both detect and to find later, because a lot of times, they aren’t kept in logs,” Osborn mentioned.
SEE: Palo Alto Networks’ Prisma Cloud CTO Ory Segal discusses code to cloud safety (TechRepublic)
In a 2018 weblog, Josh Fu, at present director of product advertising and marketing at endpoint administration software program firm Tanium, defined that reminiscence assaults goal to feed directions into, or extract knowledge from, RAM or ROM. In distinction to assaults that concentrate on disk file directories or registry keys, reminiscence assaults are exhausting to detect, even by antivirus software program.
Fu famous that reminiscence assaults usually function as follows:
- First, a script or file will get onto the endpoint. It evades detection as a result of it seems like a set of directions, as a substitute of getting typical file options.
- Those directions then get loaded into the machine.
- Once they execute, attackers use the system’s personal instruments and assets to hold out the assault.
Fu wrote that defenders may assist stop and mitigate reminiscence assaults by:
- Staying updated on patching.
- Blocking web sites operating Flash, Silverlight or JavaScript, or block these from operating on websites requesting them to be enabled.
- Restricting utilization of macros in paperwork.
- Studying this paper on how attackers use Mimikatz to extract passwords.
Cloud software program provide chain vulnerabilities uncovered
The Aqua Nautilus report, which additionally checked out cloud software program provide chain dangers together with misconfigurations, noticed that actors are exploiting software program packages and utilizing them as assault vectors. For instance, they found a logical flaw they known as “package planning” that permits attackers to disguise malicious packages as reliable code.
In addition, the researchers reported a vulnerability in all Node.js variations that would enable the embedding of malicious code into packages, leading to privilege escalation and malware persistence in Windows environments.
The agency reported that the highest 10 vulnerabilities recognized throughout its international community in 2022 (excluding Log4Shell, which was overwhelmingly excessive in comparison with the remainder) have been largely associated to the power to conduct distant code execution. “This reinforces the idea that attackers are looking for initial access and to run malicious code on remote systems,” mentioned the authors (Figure A).
Figure A
Protection of the runtime atmosphere is essential
Memory assaults exploiting workloads in runtime, the place code executes, have gotten an more and more in style goal for menace actors seeking to steal knowledge or disrupt enterprise operations, in keeping with the report.
The authors mentioned addressing vulnerabilities and misconfigurations in supply code is necessary as a result of:
- It can take time to prioritize and repair identified vulnerabilities, which may go away runtime environments uncovered.
- Security practitioners could also be unaware of or miss provide chain assault vectors, making a direct and uncontrolled hyperlink to manufacturing environments.
- Critical manufacturing configurations should be neglected in high-velocity, advanced and multi-vendor cloud environments.
- Zero-day vulnerabilities are probably, making it important to have a monitoring system in place for malicious occasions in manufacturing.
The examine’s authors additionally mentioned that merely scanning for identified malicious information and community communications after which blocking them and alerting safety groups wasn’t sufficient. Enterprises must also monitor for indicators of malicious habits, resembling unauthorized makes an attempt to entry delicate knowledge, makes an attempt to cover processes whereas elevating privileges and the opening of backdoors to unknown IP addresses.