By Byron V. Acohido
A common thread runs through the cyber attacks that continue to defeat the best layered defenses money can buy.
Related: We’re in the midst of ‘cyber Pearl Harbor’
Peel back the layers of just about any sophisticated, multi-staged network breach and you’ll invariably find memory hacking at the core. In fact, memory attacks have quietly emerged as a powerful and versatile new class of hacking technique that threat actors in the vanguard are utilizing to subvert conventional IT security systems.
In a sense, memory attacks are a reflection of what has been left out of the $216 billion companies spent over the past two years on security products and services. That’s Gartner’s estimate of global spending on cybersecurity in 2017 and 2018. Memory hacking is being carried out across paths that have been left comparatively wide open to threat actors who are happy to take full advantage of the rather fragile framework of processes that execute deep inside the kernel of computer operating systems.
Last Watchdog recently sat down with Satya Gupta, founder and CTO of Virsec, a San Jose-based supplier of advanced data protection systems. Virsec is a leading innovator of memory protection technologies. Gupta put memory attacks in context of the complexity that has overtaken modern business networks. Here’s what I took away from our discussion:
Transient hacks
Memory hacking has become a go-to technique used both by common cybercriminals, as well as nation-state backed hacking specialists. Threat actors are crafting memory attacks designed to help them gain footholds, move laterally and achieve persistence deep inside well-defended enterprise networks.
Microsoft, supplier of the Windows operating system used ubiquitously in enterprise networks, recently disclosed that fully 70% of all security bugs pivot off what the software giant refers to as “memory safety issues.”
These are issues that are coming into play in all other major OSs, as well as at the processing chip level of computer hardware.
For instance, major vulnerability was discovered lurking in the GNU C Library, or GLIBC, an open source component that runs deep inside of Linux operating systems used widely in enterprise settings. GLIBC keeps common code in one place, thus making it easier for multiple programs to connect to the company network and to the Internet. Turns out it was possible for a threat actor to flood GLIBC with data, take control of it, and then use it as a launch point for stealing passwords, spying on users and attempting to usurp control of other computers.
In the case of Microsoft’s flagship OS, it turns out that because Windows is written largely in the C and C ++ programming languages, it permits deep access to the memory addresses where software code is executed, at the OS level. Threat actors have devised numerous ways to overload these memory processes and manipulate memory addresses in ways that enable them to run snippets of unauthorized code.
Subverting intent
What makes memory attacks so insidious is that none of this malicious activity happens anywhere near the perimeter of a company’s network, nor on any particular hard drive; and this is precisely where most of the horsepower of conventional cybersecurity tools is directed. Instead, memory attacks are transient. They execute in runtime – the period of time when a software application gets loaded into the RAM (random access memory) of the computing device’s CPU (central processing unit.) Thus, memory attacks unfold only when the application is executing, and then they disappear without a trace.
Memory attacks essentially subvert the intent of the developer who authored the original software code, thereby giving the attacker control over critical processes. “Conventional security tools try to protect applications pre-execution, or they monitor for anomalies post-execution, but attackers are now exploiting the space in-between – during application runtime, when the code is actually executing,” Gupta explains. “Memory attackers seek to corrupt memory in many ways, such as inserting benign-looking user inputs, changing runtime libraries (DLLs) during runtime, or using return oriented programming (ROP) gadgets to run arbitrary operations on a machine.”
Manipulating runtime
Gupta
This quickly gets intricately technical. Gupta helped me visualize this rapidly advancing exposure by outlining the general framework of cyber attacks that increasingly incorporate memory hacking techniques. A network breach begins, of course, with an incursion. One tried-and-true incursion method pivots off social engineering. A targeted employee is sent a tainted zip file or Office macro that arrives in an expertly-spoofed email message. The message entices the recipient to click on the tainted zip file or macro. This then drops a PowerShell script into the memory of the host computer.
PowerShell is a command-line shell that Microsoft began installing by default on all Windows machines a few years back. It was designed to make it convenient for system administrators to automate tasks and manage configurations across all Windows endpoints and servers in a company network. Because PowerShell executes in memory, it works out beautifully as a ready-made attack tool. Threat actors are increasingly leveraging PowerShell to stealthily download snippets of malicious script, coding that executes in memory. It is also being used, post incursion, to help the attacker move laterally; more on this, in a minute.
Back to incursions. Yet another common incursion method is to launch a self-spreading worm designed to seek out and infect computers with unpatched or zero-day vulnerabilities, and then utilize memory-hacking techniques to propagate and deliver malicious payloads on a tier far below the radar of conventional firewalls. The first worm of note that accomplished this was Stuxnet. Allegedly developed by US and Israeli operatives, Stuxnet was discovered circulating through Iranian nuclear energy facilities in 2010. Because it was so complex, Stuxnet was not easy for just anyone to replicate.
Branching attacks
Fast forward to 2017. That’s when a hacking collective, known as Shadow Brokers, succeeded in infiltrating the NSA and stealing a cache of cyber weapons: hacking tools developed by the best-and-brightest NSA code writers that used memory-hacking tricks to exploit known and zero-day vulnerabilities. Shadow Brokers initially tried to sell these stolen NSA tools piecemeal, but found no takers.
So the collective publicly released them. Someone quickly snapped up two of the free spy tools—code named EternalBlue and DoublePulsar—and whipped up the WannaCry ransomware worm, which spread, in a matter of days, into government, utility and company networks in 150 countries, shutting down systems and demanding extortion payments. Improved versions of the original WannaCry soon followed — and then the floodgates opened.
Today, if you examine any high-profile data breach, you’re likely to find memory-hacking techniques utilized at multiple key stages of the attack. These are hacking innovations derived from what Stuxnet introduced — and WannaCry took mainstream. One branch of this new class of attacks has focused on industrial control systems. Russia, North Korea and Iran have steadily escalated attacks like the Industroyer campaign that crippled Ukraine’s electrical grid, the Triton/Trisis attacks against middle-eastern power companies, and numerous incursions into US critical infrastructure.
Another branch of attacks revolve around ransomware, crypto jacking, denial of service attacks and malware spreading activities. This branch includes families of malware like NotPetya, GLIBC and Shell Shock. Whoever was behind NotPetya, notably, leveraged the stolen NSA tools, to completely destroy global shipping company Maersk’s computer network in 2017. The company’s IT team got the network back online in a record 10 days, but cost Maersk between $250 million and $300 million.
Achieving persistence
Whichever way incursion is accomplished, the intruder, once inside a breached network, wants to roam far and wide, but also remain undetected for as long as possible. “Critical application processes are at the greatest risk, including those that are running in air-gapped environments,” Gupta says. “Once skilled malicious hackers have bypassed deficient conventional security, they can setup backdoors, and dwell within networks for extended periods without setting off alarms.”
This is referred to as persistence. A common technique to achieve persistence is to leverage stolen account logons, especially ones that give access to privileged accounts. A privileged account provides access to sensitive systems and data bases and typically gets assigned to a system administrator or senior manager. Privilege account credentials are widely available for sale. They can be purchased from data theft rings or they can be directly spear phished by the attacker. With control of just one privileged account, the attacker is in a position to turn to memory-hacking techniques, yet again – by tapping a full array system administration tools, all of which run in memory.
This is where PowerShell comes back into play. PowerShell in the hands of an intruder with privileged access is a game changer. The attacker is able to access and manipulate all Windows operating system functions – including usurping control of other common admin tools. Yet another ubiquitous tool, Windows Registry, for instance, has proven to be excellent for reloading fresh instances of a given piece of malware, with each system reboot.
These attacks, and others like them, are all designed to manipulate otherwise benign memory functions and system tools at the OS level, largely undetected and leaving no traces behind. The techniques threat actors are using have names like buffer overflow, stack exhaustion, DLL injections, side channel attacks, null pointer and fileless malware attacks – all of which pivot off what Microsoft likes to refer to as memory safety issues.
Gupta lays it out like this: “By combining flaws in software and hardware, with a series of unvalidated data inputs targeting process memory, attackers corrupt legitimate processes to disable security, leak information or execute application functions in unintended ways.”
If that weren’t enough, threat actors are also taking full advantage of the fact that memory flaws have a symbiotic relationship with privileged accounts, or, more put precisely, with how privileged accounts have come to be distributed and managed in modern business networks.
“Privileged processes typically have broad access to memory,” Gupta says. “From a privileged account you can modify system security configuration, add a trusted root certificate, change registry settings, or corrupt memory for specific code sets just as the code is being executed. From here, it’s possible to hijack control over application servers, access databases, or use APIs to connect to other systems.”
Addressing the exposure
As we get deeper into digital transformation and extend IoT-enabled commerce, there is a growing recognition in cybersecurity circles of the rising exposure enterprises face, with respect to network compromises aided and abetted by memory attacks. Ponemon’s 2018 State of Endpoint Security Risk study, for instances, predicts 38% of targeted attacks will use fileless techniques in 2019, up from 35% in 2018 and 30% in 2017.
And a recent BlueCoat sandbox study demonstrated how 95.4% of PowerShell scripts analyzed as part of that study turned out to be malicious. Security giants, including Cisco, Symantec, Trend Micro, Palo Alto Networks, Check Point, among many others, are all moving to address memory exposures as part of their legacy service offerings.
Virsec, meanwhile, is among a small group of innovators that have set out to tackle memory exposures more directly. Rather than endlessly chasing external threats, Virsec provides proactive memory protection, based on what an application should be doing at any given time, and how scripts are actually executing, at the memory level, during runtime. “We focus on identifying and stopping attacks, during execution, in runtime,” Gupta told me. “We can terminate rogue processes and disconnect specific rogue users within miliseconds, or signal other network tools to disable attackers at the perimeter.”
Memory attacks clearly represent an insidious and profound exposure with the potential to scale quickly through a given network, and, beyond that, across entire sectors, as we’ve already seen, with the power plant attacks. The concern on the horizon is that memory attacks will give threat actors a firm foothold to corrupt the smart homes, smart workplaces and smart transportation systems that are coming on line in the next few years. I’m encouraged that the cybersecurity community has begun to address this, with innovators, like Virsec, pushing the edge of the envelope. You’ll hear more from me on this topic. Talk soon.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
