MY TAKE: The amazing ways hackers manipulate ‘runtime’ to disguise deep network breaches

By Byron V. Acohido

There is a concept in computing, called runtime, that is so essential and occurs so ubiquitously that it has long been taken for granted.

Now cyber criminals have begun to leverage this heretofore innocuous component of computing to insinuate themselves deep inside of company networks.

Related: The coming wave of ‘microcode’ attacks

They’ve figured out how to manipulate applications while in runtime and execute powerful and stealthy attacks that bypass conventional security tools.

This is a big leap forward for elite threat actors, who have long targeted static files, storage, and executable code, either at rest on disk or in transit. What they’re doing is intricately technical. But it’s happening on an increasing basis in the Internet wild  to exploit vulnerabilities, spread ransomware, steal valuable data and to usurp control of industrial plants.

I asked Willy Leichter, vice president of marketing at Virsec, a supplier of data security systems, to dissect how runtime is essentially being weaponized to support advanced network compromises. We met at Black Hat USA 2018. For a full drill down, please listen to the accompanying podcast of our conversation. Here are key takeaways:

Runtime defined

Runtime refers to the period of time between opening a software program and quitting, or closing, it.  During runtime, pieces of the application get loaded into the RAM (random access memory) of the computing device’s CPU (central processing unit) allowing the app to do its thing.

Runtime occurs continually in our digital world. It comes into play any time software applications get executed “on premises” in a company network and across any mobile app or cloud-delivered service. This includes when you use email, a productivity tool, a mobile app, social media, or an Internet of Things device.

Here’s the rub: threat actors have discovered how to slip benign-looking snippets of data into application servers, that then get transformed into malicious code during runtime. This enables them to manipulate legitimate processes with the CPU’s memory. The security implications are profound.


Runtime gets activated, on multiple levels, each and every time any application gets executed – and each occurrence of runtime represents a potential attack vector, Leichter says. “It’s this actual usage of the CPU’s memory that is vulnerable and is being abused,” he says. “And, frankly, this is something that is way below the radar of what most people think about.”

Manipulating runtime

Here’s how threat actors are manipulating runtime: When an app gets loaded into memory, certain lines of code get assigned to use certain “memory blocks” of the CPU’s RAM. Simply put, criminal hackers have figured out how to trick applications into sending something to the wrong block of memory, Leichter says.

“This typically happens in the CPU’s shared memory, which is memory that is accessible by other applications,” he explains. “So just by having an application write something to the wrong location, the attacker can now access and exfiltrate information from this shared memory, and abuse can take place in various other ways.”

Who would have thought that this most basic of memory allocation routines, in runtime, would translate into a potent attack vector?

“It’s sort of assumed that memory allocation happens the way it’s supposed to, the way it’s assigned,” Leichter says. “But this is an area that is really being abused now more aggressively, and it’s very difficult to detect unless you’re actually looking at — not just what’s coming in  — but at what’s actually happening within your application.”

Weaponizing runtime

Remember Stuxnet the computer worm that infiltrated industrial plants in Iran and elsewhere? How about the WannaCry and NotPetya ransomware worms, which spread rapidly deep inside the networks of thousands of companies and government agencies? These were complex, intricately orchestrated attacks where runtime manipulation played a critical role.

More recently, the so-called Triton attack of a Middle Eastern petrochemical plant, in which the attacker took over the plant’s industrial controls and shut down safety systems, also relied on manipulating runtime.

Virsec analysts have forensically examined a number of network breaches involving runtime manipulations and discovered something remarkable. Attackers are dividing their attacks into bite sized chunks, and slipping these innocuous-looking components into the targeted network via a series of vulnerabilities and runtime manipulations. Once all the pieces arrive inside the targeted network, the attackers reassemble the snippets of code into malicious routines.

“We’re seeing runtime get weaponized,” Leichter told me. “Think of a plastic gun made on a 3-D printer that you disassemble into different pieces of plastic that, in and of themselves, appear to be benign. You can sneak the pieces by the security screener, and then reassemble later.”

Coming commoditization

Virsec researchers have discovered threat actors’ latest, greatest evasion tactic is to route snippets of malicious scripts in through several paths, never writing anything to the CPU’s hard drive, which is closely guarded, and sending them directly into runtime environment, which is unwatched.

“A lot of these sophisticated attackers are trying to plant a foot in the door and leave a back door open, so they can do additional things,” Leichter says. “They’re looking to escalate privileges, or perhaps inject other types of malicious code. By sending in more scripts and pieces of code by various means, you gain multiple entry points.”

The level of sophistication of these types of attacks suggest that they are being carried out by well-funded hacking collectives staffed by elite code developers. However, like everything else in cybersecurity, what’s leading-edged today becomes commoditized tomorrow.

Runtime-enabled network compromises are in an early stage, but they are destined to advance and become more widespread. Now is the time for companies to get this exposure on their radar screen and begin reassessing their legacy defense strategies. Sooner or later, this fresh, deep layer of ripe attack vectors will have to be accounted for by one and all.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Editor’s note: Last Watchdog has supplied consulting services to Virsec.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone