Vulnerabilities / Threats
7/9/2013
07:12 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

Below The Application: The High Risk Of Low-Level Threats

In-memory attacks and rootkits may hit your systems below the OS. Here are some tips to help your defense

Excerpted from "Below the Application: The High Risk of Low-Level Threats," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]

In all of the publicity around application attacks, cloud security and virtualization, many experts in the security field have let lower-level, more direct system attacks fall by the wayside. While there may be a reason to relax a little, given the huge leaps forward in network and computer system security, there are many good reasons to continue to pay special attention to these types of attacks.

While we have secured the perimeter, hardened our operating systems and trued up our weakest points, low-level threats have evolved -- and become more and more sinister.

Even more disturbing is that we don't have a full understanding of these threats, not to mention that fact there is more funding and resources behind them than ever.

Delving into the details of what defines traditional low-level attacks, we find ourselves looking at the attack surface and its evolution during the last few decades. The one thing that hasn't changed is the exploitation life cycle that these attacks utilize.

Attack surfaces range from physical ports to virtual ports and from browsers to operating systems. Effectively, Anything that can process or be processed is going to effectively expand the attack surface of a given system. And with the expansion of USB 2.0, FireWire and other high-speed data transfer technologies, local attack surfaces are more vulnerable than ever.

"Hacking hasn't changed," says Daniel Clemens, owner of Packetninjas. "We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution."

He's right. The trend of focusing on the application has desensitized us to the more traditional threats that are still evolving.

"I think the downside we face is a false sense of security because many have been trained to abstract only to the 'web application level,'" he adds. "In the end, configuration, implementation and design flaws exist from the human endpoint to the structures pushed onto the stack in the CPU."

Applications also make it much easier for the notorious eighth layer--the users--to fall victim to drive-by downloads and spear phishing attacks that ultimately lead to low-level compromises.

For the purposes of differentiation, we have broken down attack types into categories: Advanced volatile threats (AVTs), memory attacks, advanced persistent threats (APTs), firmware attacks, and rootkits.

Originally coined by anti-malware vendor Triumfant, the term "advanced volatile threat" (AVT) refers to attacks made on a computer's volatile memory, such as RAM, which are dynamic and are never stored in long-term memory. Triumfant, whose highly-granular endpoint change management technology is able to detect such attacks, states that AVTs are becoming an increasingly popular attack vector, and Triumfant CEO John Prisco warns that AVTs may one day replace APTs as the most common form of obfuscated online attack.

AVTs are a new spin on (and almost the opposite in some ways of ) the traditional APT. Rather than write data to disk to maintain access and expand capabilities, an AVT will simply stay in memory and per form its malicious actions in that location entirely. By avoiding writes to disk, the AVT makes itself even harder to detect and a lot harder to perform forensic analysis on.

By staying in memory, the AVT will disappear on reboot or when it's overwritten, effectively leaving no trace at all. This presents challenges on both ends. Attackers don't get the persistence, so they would be required to re-exploit the system should they need access after the memory flush. At the same time, the lack of persistence makes it especially challenging to know you've even been attacked.

In most cases, the primary overall goal of the AVT will mirror that of the APT. AVTs, however, are considered more advanced due to the fact that they operate exclusively from RAM.

To read about other low-level attacks -- including memory attacks, APTs, firmware attacks, and rootkits -- and what you can do about them, download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.