A zero-day attack blogged by security vendor FireEye last week suggests that advanced persistent threat (APT) attacks may be migrating to more ephemeral memory-resident malware. FireEye said it suspects a nation-state was behind the attack, which targeted a nongovernmental think tank in the U.S. FireEye declined to name the organization, but said that it specializes in national and international security policy.
The attackers compromised the entity's website and used it to load into the memory of visitors' PCs a variant of malware called Hydraq/McRAT, which exploited a previously unknown vulnerability in Internet Explorer. Once the malware was loaded into a Windows PC, it would make contact with a command-and-control server and wait for instructions.
The attackers would then manually direct the software to find and download files, similar to how a person would use remote desktop software, said Darien Kindlund, manager of threat intelligence at FireEye. The hackers had to work quickly in order to get what they wanted before the infected system was shut down.
In using a memory-resident attack, hackers are choosing secrecy over the more automated tactic of planting malware in a hard drive, where it can search for information and upload data to a command-and-control server for months or even years. The malware also can be used to launch denial-of-service attacks against websites.
The downside of so-called persistent attacks is that they leave lots of information about the hackers' operation that forensics experts can use in defending against future attacks. There's also the possibility of discovering the source of the attack, as Mandiant did in February, tracing an attack on The New York Times' servers to the Chinese military.
Memory-resident attacks become a much better tactic when the attackers only want data and they are exploiting a zero-day vulnerability that they want to keep secret for as long as possible, Joseph DeMesy, senior analyst for security consulting firm Bishop Fox, said.
"If you need to get back into the system, you can just re-exploit it, and there's very little forensics evidence left if you never write anything to the hard drive," DeMesy said. "This technique has been around for a long time; we're just seeing it used more now.
"It's very difficult to prevent, and there are no great defenses right now for this type of attack, which is why it's very popular, especially in targeting specific corporations or individuals," DeMesy said.
Indeed, in the recent attack discovered by FireEye, the hackers had studied the access logs of the targeted website in order to determine who was visiting the site and when. Based on that information, they activated the exploit on the compromised site during times when they had the best chance of hacking the systems of specific groups of visitors, FireEye's Kindlund said.
A defensive technique used against such attacks is to set up a fake account to a database entry, called a honeytoken in computer security. Because the account has no business use, a system administrator would know that any attempt to access it would likely be that of malware.
Honeytokens are based on the same concept as a honeypot, in which fake vulnerabilities are built into websites in order to lure hackers and discover their attack techniques.
Early this month, Rockville, Md.-based Triumfant added to its malware-detection software a module that the vendor says will find and stop in-memory attacks. Triumfant President and Chief Executive John Prisco said the technology was developed at the request of U.S. intelligence agencies, which he declined to name.
"They had been seeing a lot of these sorts of in-memory threats and suggested that we had the basis for a product that could most effectively deal with these," Prisco said.
Prisco believes the number of these attacks is growing because of the Mandiant disclosure and the embarrassment it can bring to nation-states behind such attacks.
"Those adversaries are now going to get stealthier, and the best way to be stealthy is to not leave fingerprints," Prisco said.
Along with government agencies, Triumfant has seen memory-based attacks against companies in the oil and gas industry, financial services and the media, Prisco said. The latter have become targets for information on sources of articles critical of foreign regimes.
While many attacks originate from China and Russia, they are also starting from much smaller countries.
"It doesn't take a lot of people to come up with a very targeted attack and a very sophisticated attack," Prisco said. "This is sort of a leveling of the playing field for many countries."