Q&A: The drivers behind the stark rise — and security implications — of ‘memory attacks’

May 6, 2019, Byron V. Acohido’s interview with Willy Leichter and Shauntinez Jakab with Virsec.
Byron V. Acohido
Watch the interview

A distinctive class of hacking is rising to the fore and is being leveraged by threat actors to carry out deep, highly resilient intrusions of well-defended company networks.

These attacks are referred to in the security community as “fileless attacks” or “memory attacks.” The latter conveys a more precise picture: memory hacking refers to a broad set of practices, which can include fileless attacks, that constitute this go-deep form of network break-ins.

I had the chance at RSA 2019 to discuss memory hacking with Willy Leichter, vice president of marketing, and Shauntinez Jakab, director of product marketing, at Virsec, a San Jose-based supplier of advanced application security and memory protection technologies.

They walked me through how threat actors are cleverly slipping snippets of malicious code past perimeter defenses and then executing their payloads – undetected while applications are live, running in process memory.

For a long time, memory hacking was the exclusive province of nation-state backed operatives. But over the past couple of years, memory attacks have come into regular use by common cybercriminals. Garden-variety threat actors are now leveraging memory hacking tools and techniques to gain footholds, move laterally and achieve persistence deep inside well-defended networks.

For a comprehensive drill down, please view the accompanying YouTube video of my full interview with Leichter and Jakab at RSA 2019’s broadcast alley. Here are excerpts, edited for clarity and length:

The Last Watchdog (LW): Can you frame this new class of hacking?

Leichter: The common thread is attacks that are targeting memory; targeting applications while they’re running, as opposed to when something is sitting on a disk, or a bad file comes in. It turns out there are a lot of gaps, a lot of ways to manipulate applications into going off the rails and doing bad things. This is what the hackers are exploiting.

Willy Leichter

LW: Why is this happening?

Jakab: We spent most of our time protecting the perimeter, and we didn’t put a heavy concentration on protecting the full application stack. And as skills sets evolved, so did hackers’ skill sets. Attackers are getting more active, and targeting more, eliminating the middle man, which is you and I. They’re going directly for the application itself, using trusted tools that are left open to them.

Leichter: A lot of very advanced hacking tools came out of research labs at the NSA, and other places, and they are now in the hands of nation states, and even independent criminal hackers. This has really raised the stakes, as they’ve begun to hit at a soft spot in our defenses that really has not been covered before.

LW: Why is memory emerged as a vector of choice?

Jakab: What’s going on today is that we’ve accelerated our software development processes. Big companies have their own DevOps teams that turn out new application functionalities and capabilities very quickly. . . and they’re integrating these functionalities with other applications.

By adding components to integrate with other applications, holes are also being created. So, therefore, a person with knowledge of that can also leverage that same interface.

Shauntinez Jakab

LW: To get to memory, which no one is watching?

Leichter: When your application is running it’s live in RAM and it’s a different beast as it’s executing. This all happens very quickly. There are a lot of things surrounding it; you have libraries, function calls and other processes that support the application. And a lot of these components can be corrupted in very subtle ways that change what the application is doing – while the application is running.

LW: How does stealth come into play?

Jakab: It’s multifaceted. When the attacker gets in, they build up their attack. They may jump around to different servers and do reconnaissance to figure out what other devices or resources are connected to that particular application. And they can access those things to hide in certain areas.

Watch the interview