Runtime Attacks In-Memory Require a Different Response
Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Why Should You Care About In-Memory Attacks?

Posted by Morphisec Team on October 24, 2024
Find me on:

Despite increasing investment in cybersecurity, cybercrime is surging. Every day attacks cripple healthcare providers, shut down educators, and disrupt financial/insurance services firms, manufacturing firms, law firms, and software companies to the point of risking closure. This is in large part because attacks have been changing, while defenses haven’t.

Today’s malware increasingly executes runtime attacks in memory. In 2023 and 2024, several high-profile zero-day vulnerabilities involved memory corruption, such as those in the Windows Scripting Engine, which allowed remote code executions. In fact, memory corruption is often exploited in advanced attacks, particularly by threat actors that deploy sophisticated malware and ransomware. According to recent findings, memory corruption accounted for roughly 19.5% of “known exploited” vulnerabilities in 2023.For defenders relying on detection-based solutions for these types of attacks, this is a big problem. 

Zero Trust and Moving Target Defense White Paper

Not so long ago, almost all malware relied on executables. Threat actors installed malicious software on disk in their victim's environment. This malware would interact with infected machines or talk to a command and control (C2) server through function calls, system events, or messages.  

Malware used to predominantly rely on executables. But no longer.

Traditional Detection and Response Works Well—Up to a Point 

However, this malicious software leaves behind evidence of its existence, whether on a server or compromised endpoint. Defenders can rely on tools like endpoint protection platforms (EPP), endpoint detection and response (EDR/XDR), and antivirus (AV) to spot telltale signs of malware deployment. Finding these attack patterns and signatures is what cybersecurity technology evolved to do—detecting and isolating threats before they could do real damage.  

But with attack chains now going in-memory, they offer little in the way of signatures to detect or behavior patterns to analyze. Traditional malware attacks haven't gone away. It's just that more threats are targeting device memory during runtime, to which traditional defenders have only limited visibility.

It's estimated that over 53% of the major zero-day vulnerabilities tracked by security firms involved issues like memory corruption or improper access control, underscoring their prevalence in modern attack vectors.

In-memory attacks can be installed with or without associated files, and work in the space between when an end user starts an application and turns it off. Runtime attacks like Emotet, Jupyter, Cobalt Strike, and supply chain attacks can move around inside a victim's environment. 

These threats don't typically leave a recognizable imprint on a device disk. Evidence of these threats can eventually appear as alerts on a signature-based solution. This includes security information and event management (SIEM) or security orchestration, automation, and response (SOAR) solutions. But by then it's usually too late for defenders to do anything. 

Stealthy and powerful, application runtime attacks lay the ground for ransomware deployment and data exfiltration.  

In-Memory Threats Are Everywhere 

As a feature of fileless malware, complete in-memory attack chains first started appearing in the mid-2010s. The notorious Angler Exploit Kit, known for its unique obfuscation, empowered cybercriminals to exploit web browser vulnerabilities for a monthly fee. In 2015 alone, cybercriminals using Angler stole and extorted $34 million from their victims.  

In recent years, memory compromises have surged. Threat actors are using tools like Cobalt Strike—a legitimate pentesting solution—to maliciously load a communications beacon from device memory. Between 2019 and 2020, cyberattacks using Cobalt Strike increased by 161 percent. It's commonly used by Conti, the most successful ransomware group in operation today, pulling in $180 million in revenue in 2021.

Cobalt Strike is often used for in-memory runtime attacks

To evade traditional signature and behavior-focused security solutions, threat actors now create malware that targets runtime in-memory and hijacks legitimate processes. 

 

You Can’t Scan Device Memory at Runtime 

What happens in device memory during an application's runtime is mostly invisible to defenders. To understand why, think about how a solution might try and scan an application while someone is using it.  

A solution would have to 1) scan device memory multiple times during the lifetime of the application while 2) listening to the correct triggering operations and 3) find malicious patterns to catch an attack in progress. The biggest obstacle to doing these three things is scale. In a typical application's runtime environment, there might be 4GB of virtual memory. It's not possible to scan this volume of data frequently enough, at least not without slowing down the application so much as to make it unusable. So, a memory scanner can only look at specific memory regions, at specific timeline triggers, for very specific parameters—all assuming the memory state is stable and consistent.  

With such a limited scope, a memory scanning-focused solution might, in a best-case scenario, see between three to four percent of application memory. But threats increasingly use polymorphism to obfuscate their presence, even in-memory. This means catching malicious activity in such a small sample of device memory would be miraculous. Compounding this problem, attacks now bypass or tamper with the hooks most solutions use to spot attacks in progress.  

 Unsurprisingly, remote access trojans (RATs), infostealers, and loaders now use application memory to hide for extended periods of time. The average time an attacker lingers in a network is around 11 days. For advanced threats like RATs and info stealers, this figure is closer to 45 days 

Both Windows and Linux Applications Are Targets 

In memory compromise is not a single type of threat. Instead, it's a feature of attack chains leading to a wide range of outcomes. For example, ransomware is not necessarily associated with memory runtime attacks. But to deploy ransomware, threat actors usually must infiltrate networks and escalate privileges. These processes tend to happen in memory at runtime.  

Ransomware often uses in-memory runtime attacks to gain access

The standard approach to cybersecurity is to detect attacks in progress or after being breached. This puts every type of organization and IT asset at risk from "invisible" runtime attacks. Morphisec’s incident response team has seen in-memory compromise used in situations ranging from servers in financial institutions to endpoints in hospitals and everything in between.  

These threats don’t just target memory processes on Windows servers and devices. They also target Linux. In industries like finance, where Linux is used to power virtualization platforms and networking servers, there’s been a violent surge in attacks. Attacks often compromise business-critical servers in-memory to set the stage for information theft and data encryption.  

New call-to-action

Preventing In-Memory Runtime Attacks 

In-memory runtime attacks are some of the most advanced, disruptive attacks there are. And they're not just targeting businesses, they’ve now held entire governments hostage. So it’s vital for defenders to focus on stopping threats against application memory during runtime. It's no good focusing exclusively on detection; in-memory and fileless malware is effectively invisible. Traditional security techniques that erect a wall around protected assets and rely on detecting malicious activity don't stop polymorphic and dynamic threats.  

In-memory attacks require Defense-in-Depth

Instead, ensure effective Defense-in-Depth with a security layer that prevents memory compromise in the first place. This is what Automated Moving Target Defense (AMTD) technology does. AMTD creates a dynamic attack surface that even advanced threats can’t penetrate, by morphing (randomizing) application memory, APIs, and other operating system resources during runtime. Effectively it continuously moves the doors to a house while leaving fake doors behind in their place, which trap malware for forensic analysis. Even if a threat actor could find a door to the building—it wouldn’t be there when they return. So, they can’t reuse an attack on the same endpoint, let alone on other endpoints.   

Rather than detecting attacks after they’ve happened, AMTD technology blocks attacks preemptively, without needing signatures or recognizable behaviors. And it does so without affecting system performance, generating false positive alerts, or requiring added headcount to run.

 

Guarding Against Fileless and In-Memory Ransomware Attacks

Ransomware attacks are increasingly leveraging advanced techniques like fileless and in-memory methods to bypass traditional defenses.

Morphisec introduced the Anti-Ransomware Assurance Suite, a proactive solution designed to minimize exposure to cyber risks and preemptively defend against advanced threats. This innovative suite, powered by AMTD, equips organizations with adaptive, multi-layered protection specifically targeting ransomware attacks. 

 As a first-of-its-kind solution, it combines anti-ransomware capabilities with Continuous Threat Exposure Management (CTEM) into a unified defense strategy, offering a comprehensive approach to preemptively mitigate ransomware risks—and catch evasive fileless and in-memory attacks that other solutions miss.

Learn more and book a demo today to see the Anti-Ransomware Assurance Suite in action. 

Get a Demo of Morphisec