Analysis of 700,000 real-world attacks shows how memory attacks evade protections and suggest mitigations.
Threat actors are honing their focus on exploits that evade detection and remain unnoticed within systems, according to Aqua Security’s 2023 Cloud Native Threat Report, which examined memory attacks in networks and software supply chains.
The cloud native security firm’s research arm, Nautilus, noted a 1,400% increase in memory attacks versus what the company reported in its 2022 study. According to Aqua Security, Nautilus analyzed 700,000 attacks over the six-month study period on its global network of honeypots.
The Nautilus team reported that more than 50% of attacks focused on defense evasion and included masquerading techniques such as files executed from /tmp, a location used to store temporary files. The attacks also involved obfuscated files or information, such as dynamic loading of code, which loads libraries – malicious in this case – into memory at runtime, leaving no suspicious digital trail.
Assaf Morag, lead threat intelligence researcher for Aqua Nautilus, said the group’s discovery of HeadCrab, a Redis-based malware that compromised more than 1,200 servers, shone a light on how memory attacks were evading agentless solutions, which monitor, patch and scan systems remotely. This is because, unlike agent-based systems, they are not installed on client machines, Morag explained.
“When it comes to runtime security, only agent-based scanning can detect attacks like these that are designed to evade volume-based scanning technologies, and they are critical as evasion techniques continue to evolve,” he said.
Jump to:
Memory attacks (aka living-off-the-land or fileless attacks) exploit software, apps and protocols extant within the target system to perform malicious activities. As Jen Osborn, deputy director of threat intel at Palo Alto Networks Unit 42, explained, memory attacks are hard to track because they leave no digital trail.
“They’re [launching memory exploits] because they are much harder to both detect and to find later, because a lot of times, they aren’t kept in logs,” Osborn said.
SEE: Palo Alto Networks’ Prisma Cloud CTO Ory Segal discusses code to cloud security (TechRepublic)
In a 2018 blog, Josh Fu, currently director of product marketing at endpoint management software company Tanium, explained that memory attacks aim to feed instructions into, or extract data from, RAM or ROM. In contrast to attacks that focus on disk file directories or registry keys, memory attacks are hard to detect, even by antivirus software.
Fu noted that memory attacks typically operate as follows:
Fu wrote that defenders could help prevent and mitigate memory attacks by:
The Aqua Nautilus report, which also looked at cloud software supply chain risks including misconfigurations, observed that actors are exploiting software packages and using them as attack vectors. For example, they discovered a logical flaw they called “package planning” that allows attackers to disguise malicious packages as legitimate code.
In addition, the researchers reported a vulnerability in all Node.js versions that could allow the embedding of malicious code into packages, resulting in privilege escalation and malware persistence in Windows environments.
The firm reported that the top 10 vulnerabilities identified across its global network in 2022 (excluding Log4Shell, which was overwhelmingly high compared to the rest) were mostly related to the ability to conduct remote code execution. “This reinforces the idea that attackers are looking for initial access and to run malicious code on remote systems,” said the authors (Figure A).
Figure A
Memory attacks exploiting workloads in runtime, where code executes, are becoming an increasingly popular target for threat actors looking to steal data or disrupt business operations, according to the report.
The authors said addressing vulnerabilities and misconfigurations in source code is important because:
The study’s authors also said that merely scanning for known malicious files and network communications and then blocking them and alerting security teams wasn’t enough. Enterprises should also monitor for indicators of malicious behavior, such as unauthorized attempts to access sensitive data, attempts to hide processes while elevating privileges and the opening of backdoors to unknown IP addresses.