Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Attacks On Volatile Memory Can Be Detected, Researchers Say

In-memory attacks create processing delays that give hackers away, Triumfant research says

Elusive attacks on a computer's volatile memory can be detected through a detailed analysis of processor behavior, according to new research.

Researchers at security vendor Triumfant have discovered that in-memory attacks create a significant delay in system calls that is typically beyond the normal variance of processing time. The ability to detect such attacks -- which have generally eluded most security tools because they attack data that is not stored -- could enable enterprises to interrupt the attacks before they can do any damage, Triumfant says.

"There's a temporal dimension to in-memory attacks that is detectable," says John Prisco, CEO of Triumfant. "We're seeing delays in system calls that are two or three times the norm, and it's possible to isolate those processes and shut them down."

In-memory attacks, recently referred to as Advanced volatile threats (AVTs), enable an attacker to access a computer's random access memory (RAM) or other volatile memory processes to redirect a computer's behavior. AVTs allow attackers to steal data or insert malware, but because they are never stored in long-term memory, they can be difficult to detect.

Industry experts suspect that in-memory attacks are on the increase because they evade the prevalent defenses that rely on attack signatures and malware behavior analysis. Oded Horovitz, CEO and founder of security firm PrivateCore, last month presented his company's findings on server in-memory attacks (PDF) and recommended tools for encrypting such data.

"Hacking hasn't changed,” said Daniel Clemens, owner of Packetninjas, in a recent Dark Reading report on low-level memory threats. "We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution."

So far, however, there is little industry data to back up experts' suspicions about in-memory threats because most security analysis tools focus on stored data. Triumfant hopes its new research will help identify in-memory attacks and provide trend data over time.

"So far, we've only tested it in our own environment, but we've been able to see a clear pattern," Prisco says. "System calls that take 20 or 25 milliseconds consistently go up to 50 milliseconds or more when there's an in-memory attack. When you have processing delays like that -- delays that are two or three deltas beyond the norm -- then you know that something is not right."

Triumfant is also working on a way to identify the memory objects responsible for the delays and remove them before they can execute, Prisco says.

"These in-memory attacks are going to become more attractive to the bad guys as conventional malware detection tools get better," Prisco predicts. "It's a way to execute the same attacks without being detected."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version allows unauthenticated remote attackers to start a telnetd service on the device.