Despite increasing investment in cybersecurity, cybercrime is surging. Every day attacks cripple healthcare providers, shut down educators, and disrupt financial/insurance services firms, manufacturing firms, law firms, and software companies to the point of risking closure. This is in large part because attacks have been changing, while defenses haven’t. Today’s malware increasingly executes runtime attacks in memory. According to Microsoft, 70 percent of the vulnerabilities in Microsoft products are memory safety issues. PurpleSec found that for 2022, memory corruption is now the most common type of zero-day exploit, making up 67.55 percent of attacks. For defenders relying on detection-based solutions for these types of attacks, this is a big problem.
Not so long ago, almost all malware relied on executables. Threat actors installed malicious software on disk in their victim's environment. This malware would interact with infected machines or talk to a command and control (C2) server through function calls, system events, or messages.
Traditional Cybersecurity Works Well—Up to a Point
However, this malicious software leaves behind evidence of its existence, whether on a server or compromised endpoint. Defenders can rely on tools like endpoint protection platforms (EPP), endpoint detection and response (EDR/XDR), and antivirus (AV) to spot telltale signs of malware deployment. Finding these attack patterns and signatures is what cybersecurity technology evolved to do—detecting and isolating threats before they could do real damage.
But with attack chains now going in-memory, they offer little in the way of signatures to detect or behavior patterns to analyze. Traditional malware attacks haven't gone away. It's just that more threats are targeting device memory during runtime, to which traditional defenders have only limited visibility.
In-memory attacks can be installed with or without associated files, and work in the space between when an end user starts an application and turns it off. Runtime attacks like Emotet, Jupyter, Cobalt Strike, and supply chain attacks can move around inside a victim's environment.
These threats don't typically leave a recognizable imprint on a device disk. Evidence of these threats can eventually appear as alerts on a signature-based solution. This includes security information and event management (SIEM) or security orchestration, automation, and response (SOAR) solutions. But by then it's usually too late for defenders to do anything.
Stealthy and powerful, application runtime attacks lay the ground for ransomware deployment and data exfiltration.
In-Memory Threats Are Everywhere
As a feature of fileless malware, complete in-memory attack chains first started appearing in the mid-2010s. The notorious Angler Exploit Kit, known for its unique obfuscation, empowered cybercriminals to exploit web browser vulnerabilities for a monthly fee. In 2015 alone, cybercriminals using Angler stole and extorted $34 million from their victims.
In recent years, memory compromises have surged. Threat actors are using tools like Cobalt Strike—a legitimate pentesting solution—to maliciously load a communications beacon from device memory. Between 2019 and 2020, cyberattacks using Cobalt Strike increased by 161 percent. It's commonly used by Conti, the most successful ransomware group in operation today, pulling in $180 million in revenue in 2021.
To evade traditional signature and behavior-focused security solutions, threat actors now create malware that targets runtime in-memory and hijacks legitimate processes. Picus Labs’ 2021 Red Report mapped over 200,000 malware files to the MITRE ATT&CK framework.
“They found three of the five most prevalent attack methods last year happened in-memory.”
Memory compromise is now a typical feature of attack chains like that preceding Ireland’s national health service breach in 2021.
You Can’t Scan Device Memory at Runtime
What happens in device memory during an application's runtime is mostly invisible to defenders. To understand why, think about how a solution might try and scan an application while someone is using it.
A solution would have to 1) scan device memory multiple times during the lifetime of the application while 2) listening to the correct triggering operations and 3) find malicious patterns to catch an attack in progress. The biggest obstacle to doing these three things is scale. In a typical application's runtime environment, there might be 4GB of virtual memory. It's not possible to scan this volume of data frequently enough, at least not without slowing down the application so much as to make it unusable. So a memory scanner can only look at specific memory regions, at specific timeline triggers, for very specific parameters—all assuming the memory state is stable and consistent.
With such a limited scope, a memory scanning-focused solution might, in a best-case scenario, see between three to four percent of application memory. But threats increasingly use polymorphism to obfuscate their presence, even in-memory. This means catching malicious activity in such a small sample of device memory would be miraculous. Compounding this problem, attacks now bypass or tamper with the hooks most solutions use to spot attacks in progress.
Unsurprisingly, remote access trojans (RATs), infostealers, and loaders now use application memory to hide for extended periods of time. The average time an attacker lingers in a network is around 11 days. For advanced threats like RATs and info stealers, this figure is closer to 45 days.
Both Windows and Linux Applications Are Targets
In memory compromise is not a single type of threat. Instead, it's a feature of attack chains leading to a wide range of outcomes. For example, ransomware is not necessarily associated with memory runtime attacks. But to deploy ransomware, threat actors usually must infiltrate networks and escalate privileges. These processes tend to happen in memory at runtime.
The standard approach to cybersecurity is to detect attacks in progress or after being breached. This puts every type of organization and IT asset at risk from "invisible" runtime attacks. Morphisec’s incident response team has seen in-memory compromise used in situations ranging from servers in financial institutions to endpoints in hospitals and everything in between.
These threats don’t just target memory processes on Windows servers and devices. They also target Linux. Last year saw a malicious version of Cobalt Strike created by threat actors specifically for use against Linux servers. In industries like finance, where Linux is used to power virtualization platforms and networking servers, there’s been a violent surge in attacks. Attacks often compromise business-critical servers in-memory to set the stage for information theft and data encryption.
Preventing In-Memory Runtime Attacks
In-memory runtime attacks are some of the most advanced, disruptive attacks there are. And they're not just targeting businesses, they’ve now held entire governments hostage. So it’s vital for defenders to focus on stopping threats against application memory during runtime. It's no good focusing exclusively on detection; in-memory and fileless malware is effectively invisible. Traditional security techniques that erect a wall around protected assets and rely on detecting malicious activity don't stop polymorphic and dynamic threats.
Instead, ensure effective Defense-in-Depth with a security layer that prevents memory compromise in the first place. This is what Moving Target Defense (MTD) technology does. MTD creates a dynamic attack surface that even advanced threats can’t penetrate, by morphing (randomizing) application memory, APIs, and other operating system resources during runtime. Effectively it continuously moves the doors to a house while leaving fake doors behind in their place, which trap malware for forensic analysis. Even if a threat actor could find a door to the building—it wouldn’t be there when they return. So they can’t reuse an attack on the same endpoint, let alone on other endpoints.
Rather than detecting attacks after they’ve happened, MTD technology blocks attacks preemptively, without needing signatures or recognizable behaviors. And it does so without affecting system performance, generating false positive alerts, or requiring added headcount to run. To learn more about this revolutionary technology, read the white paper—Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy.