Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/9/2013
07:12 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

Below The Application: The High Risk Of Low-Level Threats

In-memory attacks and rootkits may hit your systems below the OS. Here are some tips to help your defense

Excerpted from "Below the Application: The High Risk of Low-Level Threats," a new report posted this week on Dark Reading's Advanced Threats Tech Center.]

In all of the publicity around application attacks, cloud security and virtualization, many experts in the security field have let lower-level, more direct system attacks fall by the wayside. While there may be a reason to relax a little, given the huge leaps forward in network and computer system security, there are many good reasons to continue to pay special attention to these types of attacks.

While we have secured the perimeter, hardened our operating systems and trued up our weakest points, low-level threats have evolved -- and become more and more sinister.

Even more disturbing is that we don't have a full understanding of these threats, not to mention that fact there is more funding and resources behind them than ever.

Delving into the details of what defines traditional low-level attacks, we find ourselves looking at the attack surface and its evolution during the last few decades. The one thing that hasn't changed is the exploitation life cycle that these attacks utilize.

Attack surfaces range from physical ports to virtual ports and from browsers to operating systems. Effectively, Anything that can process or be processed is going to effectively expand the attack surface of a given system. And with the expansion of USB 2.0, FireWire and other high-speed data transfer technologies, local attack surfaces are more vulnerable than ever.

"Hacking hasn't changed," says Daniel Clemens, owner of Packetninjas. "We still have code, we still have data. Exploiting memory corruption vulnerabilities is effectively flipping data to code for creative execution."

He's right. The trend of focusing on the application has desensitized us to the more traditional threats that are still evolving.

"I think the downside we face is a false sense of security because many have been trained to abstract only to the 'web application level,'" he adds. "In the end, configuration, implementation and design flaws exist from the human endpoint to the structures pushed onto the stack in the CPU."

Applications also make it much easier for the notorious eighth layer--the users--to fall victim to drive-by downloads and spear phishing attacks that ultimately lead to low-level compromises.

For the purposes of differentiation, we have broken down attack types into categories: Advanced volatile threats (AVTs), memory attacks, advanced persistent threats (APTs), firmware attacks, and rootkits.

Originally coined by anti-malware vendor Triumfant, the term "advanced volatile threat" (AVT) refers to attacks made on a computer's volatile memory, such as RAM, which are dynamic and are never stored in long-term memory. Triumfant, whose highly-granular endpoint change management technology is able to detect such attacks, states that AVTs are becoming an increasingly popular attack vector, and Triumfant CEO John Prisco warns that AVTs may one day replace APTs as the most common form of obfuscated online attack.

AVTs are a new spin on (and almost the opposite in some ways of ) the traditional APT. Rather than write data to disk to maintain access and expand capabilities, an AVT will simply stay in memory and per form its malicious actions in that location entirely. By avoiding writes to disk, the AVT makes itself even harder to detect and a lot harder to perform forensic analysis on.

By staying in memory, the AVT will disappear on reboot or when it's overwritten, effectively leaving no trace at all. This presents challenges on both ends. Attackers don't get the persistence, so they would be required to re-exploit the system should they need access after the memory flush. At the same time, the lack of persistence makes it especially challenging to know you've even been attacked.

In most cases, the primary overall goal of the AVT will mirror that of the APT. AVTs, however, are considered more advanced due to the fact that they operate exclusively from RAM.

To read about other low-level attacks -- including memory attacks, APTs, firmware attacks, and rootkits -- and what you can do about them, download the free report.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-5770
PUBLISHED: 2020-08-03
Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.01 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5771
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious backup archive.
CVE-2020-5772
PUBLISHED: 2020-08-03
Improper Input Validation in Teltonika firmware TRB2_R_00.02.04.01 allows a remote, authenticated attacker to gain root privileges by uploading a malicious package file.