Workload and Application Security Blog

RCE (Remote Code Execution) Attacks Explained

Written by Virsec | Jun 16, 2021 5:26:31 PM

Nation-state actors are making a killing leveraging advanced attack techniques like remote code execution (RCE). If the attack on the SolarWinds supply chain or the Hafnium hack of the Microsoft Exchange server ring a bell, read on.

 

How Remote Code Execution Works

 

Attackers use remote code execution to infiltrate a system and run their code instead of the system’s legitimate code, and they can do this regardless of geographical location. Once inside, the attackers can open backdoors, trigger code remotely, steal data, disrupt services, affect operations, and install crypto mining software. Leveraging remote code execution, an attacker sitting in Russia, for example, could input malicious code on an enterprise-targeted device in the United States - undetected. 

Exploiting Application Vulnerabilities 

One of the most destructive types of exploitation vehicles for remote code execution is a vulnerability in an application. That vulnerability provides a doorway that the attacker can use to get into an environment where the application obligingly weaponizes the malicious code in-memory. Bad actors can utilize sophisticated exploit tools to elevate privileges, encrypt files, and establish remote channels back to the main control center.

Because most legacy server security focuses on protecting the perimeter, hackers have become adept at mixing their malicious code with benign traffic, gaining access, and roaming about undetected. 

The most destructive exploitation vehicle is a vulnerability in an application.

Billions of Dollars Spent on Cyber Defense, Only to Fail

Remote code execution as a technique has been around for a while, but effectively defending against it has been a challenge for almost all security vendors. However, as the New York Times aptly observed, we've spent billions on US cyber defenses and none of it seemed to work.

The attack on the SolarWinds supply chain revealed that bad actors were hiding in tens of thousands of systems for a year or more. There is no way to assess the situation as anything other than abject failure of cybersecurity.

The common consensus among industry leaders was that this attack was unprecedented, and since we've never seen this before, well – that’s why no one caught it. The inherent problem with this statement is that it is also an indicator of our mindset – that if we haven't seen it before, how can we possibly protect against it?

At Virsec, this mindset is one we want to both challenge and change. We need to fundamentally shift what we think of as possible for cybersecurity. We will continue to encounter attacks we have not seen before, and we cannot rely on prior knowledge to defend our systems.

An Infinite Problem 

Consider that there are nearly 350,000+ pieces of malware released each day. If the only way to combat them is to have prior knowledge of all 350,000+ each day, 365 days a year, clearly this is an unwinnable battle.

Vulnerabilities will continue to proliferate, and no amount of prior knowledge or threat-hunting will keep up. For every hour it takes a bad actor to create new malware, it takes many thousands of hours for cyber defenders to perform static and dynamic analysis on it to create an effective defense.

Relying on patching is a trailing indicator; it will not provide effective protection. It is a security strategy that is destined to fail because it’s an infinite problem. Instead of endlessly chasing bad, we need to focus on ensuring good.

We need to change the way the game is played. 

Conventional Weapons Are Insufficient

Conventional security tools can secure some IT infrastructure, but not all. WAFs, firewalls, end point detection and response are essential, but what happens if the attackers are already inside the system? Most of our legacy security focuses on the perimeter, and NIST implores us to assume the attackers are already inside the network.

Many security teams focus on network protection and authorization, but the most dangerous attacks, such as RCE, are executing undetected at the memory layer. Other technologies such as host-based IPS (HIPS), app control, file whitelisting, and server endpoint suites, all have significant limitations against memory-based attacks, and tend to produce large quantities of false positives.

File whitelisting is gaining popularity but can miss memory-based attacks that hijack legitimate applications that are allowed to run in a file whitelist environment. Furthermore, threat hunting tools and AI both require prior knowledge and can overlook an unidentified threat hiding in plain sight.

As a result, RCE attacks will continue unabated because our existing security tools are ineffective against them.


Don’t Underestimate the Enemy

Many conventional security vendors will have you believe that your adversary is repeatedly using the same techniques. This is a dangerous misconception. Assuming threat actors will continuously leverage the same techniques is naïve. Perhaps the unsophisticated attacker may do this, and in that case, relying on indicators of compromise may be sufficient.

However, we must assume our adversaries are well-funded, highly skilled, highly motivated, and highly effective. They will continue to create never-before-seen attack techniques, and they will keep hitting our systems, whether we are ready or not. The most successful attacks are happening at runtime, and we need to change our weaponry. 

“Detecting and blocking rogue processes in memory is one of the most important ways to secure servers.” – Aite Group

Runtime Protection Software

Application and software runtime defense has become the new security battleground. Most security tools protect before or after code execution, but not during. These tools have no visibility or control into runtime when code executes. Runtime therefore tends to be seen as a “black box,” and threat actors exploit this lack of protection with remote code execution exploits, advanced fileless and other evasive memory-based attacks.

\Protecting the Application Itself

Virsec Security Platform (VSP) approach to security is to protect the application itself, placing guardrails around its code as it executes during runtime. VSP maps all acceptable files, processes, libraries, input, container images, and memory usage associated with all application workloads in any environment. This fully automated process ensures that any deviation from normal is instantly detected, treated as a threat, and blocked.

Rather than trying to blacklist everything that is possibly bad, Virsec enforces good through a zero-trust approach – ensuring that applications never get derailed, regardless of threats, vulnerabilities, or patch status. VSP provides unparalleled in-memory and runtime protection and can detect and stop evasive attacks like RCEs within milliseconds, with zero-dwell time.

Virsec Security Platform protects the application itself, placing guardrails around its code as it executes.

Application-Aware Workload Protection

VSP provides application-aware workload protection that ensures comprehensive memory protection and runtime protection. Virsec’s patented technology is delivered via the following three application-aware components:

Memory Protection: leverages in-memory instrumentation to detect and protect when a workload starts executing attacker-provided shell code with strict application control, hardening, and configuration.

  • Web Protection: ensures visibility and runtime protection across the entire attackable surface by detecting attacks without prior knowledge to counter threats that challenge web filtering, data loss prevention, anti-malware, and bot defense services at runtime.  

  • Host Protection: minimizes the attack surface across server and container workloads by continuously ensuring the integrity of application systems and components with Virsec’s patented AppMap technology.

Additional Learning:

White Paper: The Need for Application-Aware Workload Protection

White Paper: Taxonomy of The Attack on SolarWinds and Its Supply Chain

Web page: Remote Code Execution Protection

Webinar: Defending Against Nation-State Attacks: Breaking the Kill Chain


Webinar: Stop the Kill Chain at the First Step: Effective Runtime Protection