Q&A: The drivers behind the stark rise — and security implications — of ‘memory attacks’

By Byron V. Acohido

A distinctive class of hacking is rising to the fore and is being leveraged by threat actors to carry out deep, highly resilient intrusions of well-defended company networks.

Related: Memory hacking becomes a go-to tactic

These attacks are referred to in the security community as “fileless attacks” or “memory attacks.” The latter conveys a more precise picture: memory hacking refers to a broad set of practices, which can include fileless attacks, that constitute this go-deep form of network break-ins.

I had the chance at RSA 2019 to discuss memory hacking with Willy Leichter, vice president of marketing, and Shauntinez Jakab, director of product marketing, at Virsec, a San Jose-based supplier of advanced application security and memory protection technologies.

They walked me through how threat actors are cleverly slipping snippets of malicious code past perimeter defenses and then executing their payloads  – undetected while applications are live, running in process memory.

For a long time, memory hacking was the exclusive province of nation-state backed operatives. But over the past couple of years, memory attacks have come into regular use by common cybercriminals. Garden-variety threat actors are now leveraging memory hacking tools and techniques to gain footholds, move laterally and achieve persistence deep inside well-defended networks.

For a comprehensive drill down, please view the accompanying YouTube video of my full interview with Leichter and Jakab at RSA 2019’s broadcast alley. Here are excerpts, edited for clarity and length:

LW: Can you frame this new class of hacking?

Leichter

Leichter: The common thread is attacks that are targeting memory; targeting applications while they’re running, as opposed to when something is sitting on a disk, or a bad file comes in. It turns out there are a lot of gaps, a lot of ways to manipulate applications into going off the rails and doing bad things. This is what the hackers are exploiting.

LW: Why is this happening?

Jakab:  We spent most of our time protecting the perimeter, and we didn’t put a heavy concentration on protecting the full application stack. And as skills sets evolved, so did hackers’ skill sets. Attackers are getting more active, and targeting more, eliminating the middle man, which is you and I. They’re going directly for the application itself, using trusted tools that are left open to them.

Leichter: A lot of very advanced hacking tools came out of research labs at the NSA, and other places, and they are now in the hands of nation states, and even independent criminal hackers. This has really raised the stakes, as they’ve begun to hit at a soft spot in our defenses that really has not been covered before.

LW: Why is memory emerged as a vector of choice?

Jakab

Jakab: What’s going on today is that we’ve accelerated our software development processes. Big companies have their own DevOps teams that turn out new application functionalities and capabilities very quickly. . . and they’re integrating these functionalities with other applications.

By adding components to integrate with other applications, holes are also being created. So, therefore, a person with knowledge of that can also leverage that same interface.

LW: To get to memory, which no one is watching?

Leichter: When your application is running it’s live in RAM and it’s a different beast as it’s executing. This all happens very quickly. There are a lot of things surrounding it; you have libraries, function calls and other processes that support the application. And a lot of these components can be corrupted in very subtle ways that change what the application is doing – while the application is running.

LW: How does stealth come into play?

Jakab:  It’s multifaceted. When the attacker gets in, they build up their attack. They may jump around to different servers and do reconnaissance to figure out what other devices or resources are connected to that particular application. And they can access those things to hide in certain areas.

LW: Clearly companies are going to have to deal with this. Why so?

Jakab:  We’re in a politically sensitive and contentious time right now. Warfare is not just with the guns anymore, it’s a cyber attack, and not just on critical infrastructure or government agencies, but on other big stakeholders, as well. Election tampering is part of it. This is what we’re looking at; this is what we’re protecting right now.

Leichter: It usually comes back to money and disruption. Maersk, a huge Dutch shipping company, got shut down. Merck had one of its pharmaceuticals delayed, which led to a global shortage. And there have been many examples where people have shorted companies that they knew were about to be attacked.

The ripple effects and the repercussions of memory attacks are huge, and it is being done not just to create chaos. There are people with clear motives behind these attacks.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone