{"id":94757,"date":"2023-06-30T17:04:52","date_gmt":"2023-06-30T17:04:52","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4127047"},"modified":"2023-06-30T17:04:52","modified_gmt":"2023-06-30T17:04:52","slug":"aqua-security-study-finds-1400-increase-in-memory-attacks","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=94757","title":{"rendered":"Aqua Security Study Finds 1,400% Increase in Memory Attacks"},"content":{"rendered":"<div id>\n<p> Analysis of 700,000 real-world attacks shows how memory attacks evade protections and suggest mitigations. <\/p>\n<\/div>\n<div id>\n<figure id=\"attachment_4127050\" aria-describedby=\"caption-attachment-4127050\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4127050\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/06\/aqua-security-study-finds-1400-increase-in-memory-attacks.jpg\" alt=\"Cyber alert attack on the computer.\" width=\"1400\" height=\"935\"><figcaption id=\"caption-attachment-4127050\" class=\"wp-caption-text\">Image: tippapatt\/Adobe Stock<\/figcaption><\/figure>\n<p>Threat actors are honing their focus on exploits that evade detection and remain unnoticed within systems, according to <a href=\"https:\/\/info.aquasec.com\/2023-cloud-native-threat-report?utm_campaign=Threat%20Research\" target=\"_blank\" rel=\"noopener noreferrer\">Aqua Security\u2019s 2023 Cloud Native Threat Report<\/a>, which examined memory attacks in networks and software supply chains.<\/p>\n<aside class=\"pinbox right\">\n<h3 class=\"heading\">Must-read security coverage<\/h3>\n<\/aside>\n<p>The cloud native security firm\u2019s research arm, Nautilus, noted a 1,400% increase in memory attacks versus what the company reported in its <a href=\"https:\/\/blog.aquasec.com\/2022-cloud-native-threat-report-cyber-attacks\" target=\"_blank\" rel=\"noopener noreferrer\">2022 study<\/a>. According to Aqua Security, Nautilus analyzed 700,000 attacks over the six-month study period on its global network of honeypots.<\/p>\n<p>The Nautilus team reported that more than 50% of attacks focused on defense evasion and included masquerading techniques such as files executed from \/tmp, a location used to store temporary files. The attacks also involved obfuscated files or information, such as dynamic loading of code, which loads libraries \u2013 malicious in this case \u2013 into memory at runtime, leaving no suspicious digital trail.<\/p>\n<p>Assaf Morag, lead threat intelligence researcher for Aqua Nautilus, said the group\u2019s discovery of HeadCrab, a Redis-based malware that compromised more than 1,200 servers, shone a light on how memory attacks were evading <a href=\"https:\/\/help.ivanti.com\/iv\/help\/en_US\/isec\/94\/Topics\/Agentless_vs._Agent-based_Solutions.htm\" target=\"_blank\" rel=\"noopener noreferrer\">agentless solutions<\/a>, which monitor, patch and scan systems remotely. This is because, unlike agent-based systems, they are not installed on client machines, Morag explained.<\/p>\n<p>\u201cWhen it comes to runtime security, only agent-based scanning can detect attacks like these that are designed to evade volume-based scanning technologies, and they are critical as evasion techniques continue to evolve,\u201d he said.<\/p>\n<p>Jump to:<\/p>\n<h2 id=\"what\">What are memory attacks?<\/h2>\n<p>Memory attacks (aka living-off-the-land or fileless attacks) exploit software, apps and protocols extant within the target system to perform malicious activities. As Jen Osborn, deputy director of threat intel at Palo Alto Networks Unit 42, explained, <a href=\"https:\/\/www.paloaltonetworks.com\/cyberpedia\/what-are-fileless-malware-attacks\" target=\"_blank\" rel=\"noopener noreferrer\">memory attacks are hard to track<\/a> because they leave no digital trail.<\/p>\n<ul>\n<li>Memory attacks don\u2019t require an attacker to place code or scripts on a system.<\/li>\n<li>Memory attacks are not written to a disk and instead use tools like PowerShell, Windows Management Instrumentation or even the password-saving tool Mimikatz to attack.<\/li>\n<\/ul>\n<p>\u201cThey\u2019re [launching memory exploits] because they are much harder to both detect and to find later, because a lot of times, they aren\u2019t kept in logs,\u201d Osborn said.<\/p>\n<p><strong>SEE: Palo Alto Networks\u2019 Prisma Cloud CTO Ory Segal discusses <a href=\"https:\/\/www.techrepublic.com\/article\/palo-alto-networks-ory-segal-securing-code-cloud\/\">code to cloud security<\/a> (TechRepublic)&nbsp;<\/strong><\/p>\n<p>In a 2018 blog, Josh Fu, currently director of product marketing at endpoint management software company Tanium, explained that <a href=\"https:\/\/blogs.blackberry.com\/en\/2018\/06\/memory-attacks-are-on-the-rise-how-to-stop-them#:~:text=Attackers%20are%20increasingly%20using%20this%20type,trade%20secrets%2C%20or%20your%20computing%20resources.&amp;text=Attackers%20are%20increasingly%20using,or%20your%20computing%20resources.&amp;text=increasingly%20using%20this%20type,trade%20secrets%2C%20or%20your\" target=\"_blank\" rel=\"noopener noreferrer\">memory attacks aim to feed instructions into, or extract data from, RAM or ROM<\/a>. In contrast to attacks that focus on disk file directories or registry keys, memory attacks are hard to detect, even by antivirus software.<\/p>\n<p>Fu noted that memory attacks typically operate as follows:<\/p>\n<ol>\n<li>First, a script or file gets onto the endpoint. It evades detection because it looks like a set of instructions, instead of having typical file features.<\/li>\n<li>Those instructions then get loaded into the machine.<\/li>\n<li>Once they execute, attackers use the system\u2019s own tools and resources to carry out the attack.<\/li>\n<\/ol>\n<p>Fu wrote that defenders could help prevent and mitigate memory attacks by:<\/p>\n<ul>\n<li>Staying up to date on patching.<\/li>\n<li>Blocking websites running Flash, Silverlight or JavaScript, or block these from running on sites requesting them to be enabled.<\/li>\n<li>Restricting usage of macros in documents.<\/li>\n<li>Studying this paper on <a href=\"https:\/\/www.sans.org\/white-papers\/36780\/\" target=\"_blank\" rel=\"noopener noreferrer\">how attackers use Mimikatz to extract passwords<\/a>.<\/li>\n<\/ul>\n<h2 id=\"uncovered\">Cloud software supply chain vulnerabilities uncovered<\/h2>\n<p>The Aqua Nautilus report, which also looked at cloud software supply chain risks including misconfigurations, observed that actors are exploiting software packages and using them as attack vectors. For example, they discovered a logical flaw they called \u201cpackage planning\u201d that allows attackers to disguise malicious packages as legitimate code.<\/p>\n<p>In addition, the researchers reported a vulnerability in all Node.js versions that could allow the embedding of malicious code into packages, resulting in privilege escalation and malware persistence in Windows environments.<\/p>\n<p>The firm reported that the top 10 vulnerabilities identified across its global network in 2022 (excluding Log4Shell, which was overwhelmingly high compared to the rest) were mostly related to the ability to conduct remote code execution. \u201cThis reinforces the idea that attackers are looking for initial access and to run malicious code on remote systems,\u201d said the authors (<strong>Figure A<\/strong>).<\/p>\n<p><strong>Figure A<\/strong><\/p>\n<figure id=\"attachment_4127053\" aria-describedby=\"caption-attachment-4127053\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-4127053\" src=\"http:\/\/cloudnewshub.com\/wp-content\/uploads\/2023\/06\/aqua-security-study-finds-1400-increase-in-memory-attacks-1.jpg\" alt=\"The top 10 vulnerabilities in 2022.\" width=\"800\" height=\"1105\"><figcaption id=\"caption-attachment-4127053\" class=\"wp-caption-text\">The top 10 vulnerabilities scanned in 2022. Image: Aqua Nautilus.<\/figcaption><\/figure>\n<h2 id=\"runtime\">Protection of the runtime environment is critical<\/h2>\n<p>Memory attacks exploiting workloads in runtime, where code executes, are becoming an increasingly popular target for threat actors looking to steal data or disrupt business operations, according to the report.<\/p>\n<p>The authors said addressing vulnerabilities and misconfigurations in source code is important because:<\/p>\n<ul>\n<li>It can take time to prioritize and fix known vulnerabilities, which can leave runtime environments exposed.<\/li>\n<li>Security practitioners may be unaware of or miss supply chain attack vectors, creating a direct and uncontrolled link to production environments.<\/li>\n<li>Critical production configurations may still be overlooked in high-velocity, complex and multi-vendor cloud environments.<\/li>\n<li>Zero-day vulnerabilities are likely, making it essential to have a monitoring system in place for malicious events in production.<\/li>\n<\/ul>\n<p>The study\u2019s authors also said that merely scanning for known malicious files and network communications and then blocking them and alerting security teams wasn\u2019t enough. Enterprises should also monitor for indicators of malicious behavior, such as unauthorized attempts to access sensitive data, attempts to hide processes while elevating privileges and the opening of backdoors to unknown IP addresses.<\/p>\n<p> <!-- default newsletter at the end --> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Analysis of 700,000 real-world attacks shows how memory attacks evade protections and suggest mitigations. Image: tippapatt\/Adobe Stock Threat actors are honing their focus on exploits that evade detection and remain unnoticed within systems, according to Aqua Security\u2019s 2023 Cloud Native Threat Report, which examined memory attacks in networks and software supply chains. Must-read security coverage [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":94758,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,788,783,56,287,27],"tags":[],"class_list":["post-94757","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cloud","category-cloud-security","category-cloudsync","category-cybersecurity","category-security","category-software"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/94757","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=94757"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/94757\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/94758"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=94757"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=94757"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=94757"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}