/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
According to Aqua Security’s 2023 Cloud Native Threat Report, threat actors are increasingly turning their attention to exploits that avoid detection and go unnoticed within systems, including in-memory attacks across networks and software supply chains. is checked.
Nautilus, the research arm of cloud native security firm, saw a 1,400% increase in memory attacks compared to what the company reported in its 2022 study. According to Aqua Security, Nautilus analyzed 700,000 attacks on its global network of honeypots over the six-month study period.
The Nautilus team reported that more than 50% of the attacks focused on defense evasion and included stealth techniques such as executing files from /tmp , a location used to store temporary files. The attacks also involved obfuscating files or information, such as dynamic loading of code, which loads libraries—in this case malicious—into memory at runtime, leaving no suspicious digital trail.
Asaf Morag, principal threat intelligence researcher at Aqua Nautilus, said the group’s discovery of Redis-based malware Headcrab, which compromised more than 1,200 servers, highlighted how memory attacks were escaping agentless solutions, Those who remotely monitor, patch and scan systems. , That’s because, unlike agent-based systems, they aren’t installed on client machines, Morag explained.
“When it comes to runtime security, only agent-based scanning can detect attacks that volume-based scanning techniques are designed to avoid, and they are important because piracy techniques are constantly evolving. are,” he said.
jump to:
What are memory attacks?
Memory attacks (aka living-off-the-land or fileless attacks) exploit software, apps, and protocols contained within a target system to perform malicious activities. As explained by Jen Osborne, Deputy Director of Threat Intel at Palo Alto Networks Unit 42, memory attacks are hard to track because they leave no digital trail.
- In memory attacks do not require an attacker to put code or script on the system.
- In memory attacks are not written to disk and instead tools such as PowerShell, Windows Management Instrumentation or even the password-saving tool Mimikatz are used for the attack.
“They’re (launching memory exploits) because they’re so hard to detect and find later, because many times, they’re not kept in the log,” Osborne said.
WATCH: Palo Alto Networks’ Prisma Cloud CTO Ori Segal discusses code for cloud security (TechRepublic)
In a 2018 blog, Josh Fu, currently director of product marketing at endpoint management software company Tanium, explained that memory attacks aim to feed instructions or extract data into RAM or ROM. Unlike attacks that focus on disk file directories or registry keys, memory attacks are harder to detect, even by antivirus software.
Fu said memory attacks typically operate as follows:
- First, a script or file accesses the endpoint. It escapes recognition because it resembles a set of instructions rather than specific file features.
- Those instructions are then loaded into the machine.
- Once they are executed, attackers use the system’s own tools and resources to carry out the attack.
Fu wrote that guards can help prevent and mitigate memory attacks:
- Stay updated on patching.
- Block websites that run Flash, Silverlight, or JavaScript, or prevent them from running on sites that request that they be enabled.
- Restricting the use of macros in documents.
- This paper is a study on how attackers use Mimikatz to crack passwords.
Cloud software supply chain vulnerabilities exposed
The Aqua Nautilus report, which also looked at cloud software supply chain risks including misconfiguration, observed that actors are exploiting software packages and using them as attack vectors. For example, they discovered a logic flaw they call “package planning” that allows attackers to disguise malicious packages as legitimate code.
In addition, researchers reported a vulnerability in all Node.js versions that could allow malicious code to be embedded in packages, resulting in privilege escalation and malware persisting in Windows environments.
The firm reported that the top 10 vulnerabilities identified in its global network in 2022 (excluding log4shell, which far outnumbered the rest) were mostly related to the ability to perform remote code execution. “This reinforces the idea that attackers are looking for early access and running malicious code on remote systems,” the authors said.picture a,
picture a
Security of the runtime environment is critical
According to the report, memory attacks that exploit workloads at runtime, where code executes, are becoming an increasingly popular target for malicious actors looking to steal data or disrupt business operations.
The authors said that addressing vulnerabilities and misconfigurations in the source code is important because:
- Prioritizing and fixing known vulnerabilities can take time, leaving the runtime environment exposed.
- Security practitioners may be unaware of or miss supply chain attack vectors, creating a direct and uncontrolled link to production environments.
- Critical production configurations can still be overlooked in high-velocity, complex, and multi-vendor cloud environments.
- Zero-day vulnerabilities are possible, making it necessary to have a monitoring system in place for malicious incidents in production.
The study authors also said that simply scanning known malicious files and network communications and then blocking them and alerting security teams was not enough. Enterprises should also monitor for indicators of malicious behavior, such as unauthorized attempts to access sensitive data, attempts to hide processes by escalating privileges, and the opening of backdoors to unknown IP addresses.
