Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Move Over, APTs -- The RAM-Based Advanced Volatile Threat Is Spinning Up Fast

By attacking random access memory, AVT creators make their exploits less persistent -- and harder to detect

For security pros, the advanced persistent threat (APT) has become a term as everyday as virus or Trojan horse. But as defenders become increasingly wise to the APT, experts say, attackers are now trying a new approach: the advanced volatile threat (AVT).

An AVT is an attack on random access memory (RAM), rather than stored data or applications, according to John Prisco, CEO of Triumfant, a security vendor that has been studying the trend in recent months and coined the term.

"AVTs are those attacks that target processes running in active memory and therefore are not persistent, as APTs are," Prisco says. "They're attacks on RAM that won't be detected by analyzing stored data or known threats. They are there, and then they're gone when you turn your machine off, sometimes even before you turn your machine off."

There's nothing new about RAM-level hacks -- RAM scraping was flagged by the SANS Institute as one of the industry's most dangerous attacks in 2011 -- but such exploits have been unusual, even rare, in recent years. Triumfant now has data to suggest these attacks are becoming more mainstream.

"We see it mostly in the classified work we do -- government and defense stuff," Prisco says. "But we now see it in as many as 10 percent of the attacks we detect."

Experts attribute the rise in RAM-based attacks to the increasing use of the Web for cyberespionage, where attackers are looking to collect specific data quickly, with a minimum of risk of being caught.

"In-memory attacks, or advanced volatile attacks, are most effective in targeted attacks against a particular organization, where an attacker's goal isn't persistence, but is instead to exfiltrate information from a network," says Joe DeMesy, senior analyst at security consulting firm Stach & Liu.

"The traditional goal of viruses, such as botnets, is to control a system for a long period of time in order to consume a portion of its resources, such as computation or bandwidth. Such a goal requires persistence on disk," DeMesy observes. Such persistent exploits are the hallmark of the APT and characterize sophisticated attacks such as Stuxnet and Flame.

AVTs, on the other hand, are designed to act more like cat burglars, sneaking into the target system for a single theft and escaping without being detected.

"If an attacker only wants to obtain documents from a network drive accessible from a workstation, there is no need to ever write information to disk," DeMesy observes. "I see increasing popularity in advanced volatile attacks related to the rise of corporate espionage."

Mandiant's report earlier this week on the Chinese hacker group APT1 exposed the exploits of sophisticated attackers and backtracked them to their source, Prisco observes. "It showed how lazy the APT developers have become because they didn't think they'd ever get caught. But now, after that report, attackers are going to become a lot more careful and a lot more worried about attribution."

And that concern, Prisco says, could drive more attackers to drop their APT strategies and turn to AVTs instead. "The AVT is going to be attractive to sophisticated attackers because it's there, and it's gone," he says. AVTs take a bit more effort, Prisco observes, because they only work once, but attackers who are highly concerned about attribution will likely be willing to do the extra work.

Using an AVT is no guarantee against detection, DeMesy says. "Detection of advanced volatile attacks is extremely difficult, even when best practices are followed," he says. "However, you may be able to detect what the attackers are trying to do. Internal honeypots are an excellent way to entice attackers to reveal their presence. Attackers employing advanced volatile attacks are looking to get in and out of a network quickly, bringing with them as much information as possible, so seemly vulnerable targets, such as a honeypot, are a prime target."

Prisco says Triumfant's technology has spotted the rise of AVTs because it does active scanning of endpoint devices using onboard agents, rather than scanning networks or stored memory for known malware or suspicious behavior. "Putting an agent on every device is not a trivial task," he concedes, "but in the long run, it's the only way to detect an attack like this while it's still happening."

And you don't have to be a genius to launch an AVT, experts say. DeMesy notes that the industry-standard backdoor Meterpreter, part of the Metasploit framework, operates by default as an in-memory-only backdoor. "There is little to no barrier of entry to perform these types of attacks," he says.

With ready-made templates such as Meterpreter available, will AVTs become a mainstream attack? Prisco thinks so.

"The Mandiant report changes things," he says. "Attackers now know that attribution is possible. They don't want to leave a trail. Today, APTs are the sophisticated exploit of choice, but I think there's a good chance that in the not-too-distant future, things will flip-flop and AVTs will become the norm."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AMoss
50%
50%
AMoss,
User Rank: Guru
3/3/2013 | 7:23:38 PM
re: Move Over, APTs -- The RAM-Based Advanced Volatile Threat Is Spinning Up Fast
Memory monitoring/prevention has been around for quite awhile.- While it's not common for malware to not drop anything to disk...it's still not 'new'.- More than anything, this appears to be a vendor that is attempting to coin a term on which they can then capitalize.- Prisco thinking that the term term 'Persistent' in Advanced Persistent Threat has anything to do with memory or disk is a very accurate indicator of his understanding of the security landscape.
Eirik
50%
50%
Eirik,
User Rank: Apprentice
2/25/2013 | 4:13:12 PM
re: Move Over, APTs -- The RAM-Based Advanced Volatile Threat Is Spinning Up Fast
Another motivator for RAM-only, ever-more AV products are focusing on post-infection detection because malware kits easily alter the signature of an outbound sample. -So, AV products are increasingly looking for files stored on the hard drive. Add to this the community-based mechanisms where a newly detected signature discovered post-infection is reported to the rest of the community. -Bad news for the initial folk infected but the community can benefit. -Enter RAM-only, post-infection detection must adapt.
Larry Seltzer - UBM Tech
50%
50%
Larry Seltzer - UBM Tech,
User Rank: Apprentice
2/23/2013 | 3:01:42 PM
re: Move Over, APTs -- The RAM-Based Advanced Volatile Threat Is Spinning Up Fast
Theoretically, if least-privilege were used aggressively, threats might be limited even in what RAM then access. Alas, this seems to be much harder to do in the real world than in theory, but I'm still tempted to think that this problem is properly attributed, in part, to failure to adhere to best practices.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18575
PUBLISHED: 2019-12-06
Dell Command Configure versions prior to 4.2.1 contain an uncontrolled search path vulnerability. A locally authenticated malicious user could exploit this vulnerability by creating a symlink to a target file, allowing the attacker to overwrite or corrupt a specified file on the system.
CVE-2019-11293
PUBLISHED: 2019-12-06
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.
CVE-2019-16771
PUBLISHED: 2019-12-06
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97....
CVE-2019-1551
PUBLISHED: 2019-12-06
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are n...
CVE-2019-16671
PUBLISHED: 2019-12-06
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption.