Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Attacks On Volatile Memory Can Be Detected, Researchers Say

In-memory attacks create processing delays that give hackers away, Triumfant research says

Elusive attacks on a computer's volatile memory can be detected through a detailed analysis of processor behavior, according to new research.

Researchers at security vendor Triumfant have discovered that in-memory attacks create a significant delay in system calls that is typically beyond the normal variance of processing time. The ability to detect such attacks -- which have generally eluded most security tools because they attack data that is not stored -- could enable enterprises to interrupt the attacks before they can do any damage, Triumfant says.

"There's a temporal dimension to in-memory attacks that is detectable," says John Prisco, CEO of Triumfant. "We're seeing delays in system calls that are two or three times the norm, and it's possible to isolate those processes and shut them down."

In-memory attacks, recently referred to as Advanced volatile threats (AVTs), enable an attacker to access a computer's random access memory (RAM) or other volatile memory processes to redirect a computer's behavior. AVTs allow attackers to steal data or insert malware, but because they are never stored in long-term memory, they can be difficult to detect.

Industry experts suspect that in-memory attacks are on the increase because they evade the prevalent defenses that rely on attack signatures and malware behavior analysis. Oded Horovitz, CEO and founder of security firm PrivateCore, last month presented his company's findings on server in-memory attacks (PDF) and recommended tools for encrypting such data.

"Hacking hasn't changed,” said Daniel Clemens, owner of Packetninjas, in a recent Dark Reading report on low-level memory threats. "We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution."

So far, however, there is little industry data to back up experts' suspicions about in-memory threats because most security analysis tools focus on stored data. Triumfant hopes its new research will help identify in-memory attacks and provide trend data over time.

"So far, we've only tested it in our own environment, but we've been able to see a clear pattern," Prisco says. "System calls that take 20 or 25 milliseconds consistently go up to 50 milliseconds or more when there's an in-memory attack. When you have processing delays like that -- delays that are two or three deltas beyond the norm -- then you know that something is not right."

Triumfant is also working on a way to identify the memory objects responsible for the delays and remove them before they can execute, Prisco says.

"These in-memory attacks are going to become more attractive to the bad guys as conventional malware detection tools get better," Prisco predicts. "It's a way to execute the same attacks without being detected."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...