Blog
12.04.2019

SHARED INTEL: How ‘memory attacks’ and ‘firmware spoilage’ circumvent perimeter defenses

Listen to podcast

What does Chinese tech giant Huawei have in common with the precocious kid next door who knows how to hack his favorite video game?

The former has been accused of placing hidden backdoors in the firmware of equipment distributed to smaller telecom companies all across the U.S. The latter knows how to carry out a  DLL injection hack — to cheat the game score. These happen to represent two prime examples of cyber attack vectors that continue to get largely overlooked by traditional cybersecurity defenses.

Tech consultancy IDC tells us that global spending on security hardware, software and services is on course to top $103 billion in 2019, up 9.4 percent from 2018. Much of that will be spent on subscriptions for legacy systems designed to defend network perimeters or detect and deter malicious traffic circulating in network logs.

However, the threat actors on the leading edge are innovating at deeper layers. One security vendor that happens to focus on this activity is Virsec, a San Jose-based supplier of advanced application security and memory protection technologies. I had the chance to visit with Willy Leichter, Virsec’s vice president of marketing, at Black Hat 2019.

Willy Leichter with Virsec Application Protection

“There are multiple vectors, lots of different ways people can inject code directly into an application,” Leichter told me. “And now we’re hearing about new threats, throughout the whole supply chain, where there might be malware deeply embedded at the firmware level, or at the processor level,  that can provide ways to get into the applications, and get into the data.”

For a full drill down of our discussion, give a listen to the accompanying podcast. Here are a few key takeways:

Firmware exposures

Firmware is the coding built into computing devices and components that carry out the low-level input/output tasks necessary to enable software applications to run. Firmware is on everything from hard drives, motherboards and routers to office printers and smart medical devices.

By embedding malware in firmware, threat actors are able to slip pass legacy firewalls and intrusion detection and prevention systems. The Chinese are all over this. Bloomberg broke a huge story about how China managed to slip compromised firmware into the production line of several plants producing Supermicro motherboards.

And Federal Communications Commission member Geoffrey Starks has been raising Cain about Huawei distributing secretly coded firmware in equipment sold to U.S. telecom firms, presumably to cyber espionage and infrastructure attacks.

It’s not just new equipment supply chains that are of concern. Threat actors are innovating ways to probe for ways to corrupt firmware on computing components already out in the field – via firmware updates. We know about this thanks to researchers at FireEye who discovered hackers successfully modifying the firmware of certain types of Cisco routers, putting themselves in prime position to surveil the victim’s network and potentially move laterally to different machines.

Willy Leichter and Byron Acohido

Chip-level vulnerabilities

What’s more, there’s a new category of deep-level coding vulnerabilities that seems destined to get exploited. This came to light with the discovery of the Meltdown and Spectre vulnerabilities that exist in Intel processing chips.

It turns out that some shortcuts Intel took decades ago to increase the speed of processing chips means that all of processing chips in use today can be hacked a number of different. Experts say the only way to completely eliminate this new class of chip-level vulnerabilities is to completely replace the current generation of processer with the next generation. This will take a decade or  more to fully play out.

“No one ever thought these minor design quirks from 20 years ago could be a way to get in,” Leichter observes. “Although Spectre and Meltdown haven’t been widely exploited yet, at least as far as we know, you can see Intel and others scrambling. They’ve put thousands of people on this to try to correct what is a very difficult problem to correct, because you’ve got billions of processors out there. You can’t just change them overnight.”

More than 20 different variants of these processor level vulnerabilities have been disclosed since Spectre and Meltdown came to light. This introduces yet a deeper level of vulnerability patching that will need to get done, in fairly short order. The longer companies procrastinate, the more likely it is that opportunistic threat actors will find several ways to exploit processor chip vulnerabilities.

‘Weaponized at runtime’

At yet another deep-down layer – at runtime — there already is a flurry of criminal activity. Runtime is the period a software program is open and running, with pieces of the application loaded into the RAM (random access memory) and doing computations off of the computing device’s CPU (central processing unit.)

One rudimentary example is the kid who figures how to carry out a Dynamic Link Library, or DLL, hack of his favorite video game. DLL contains instructions that other programs can call upon to do certain things. Any kid with the attention span to study and master a DLL hacking tutorial can do this.

Similarly, there are any number of well understood ways for a threat actor to slip benign-looking snippets of data into application servers, in such a way that the benign data gets transformed into an executable attack code during runtime, Leichter told me.

The larger point is that there are numerous ways to carry out attacks during runtime – and this is malicious activity that is getting overlooked by the vast majority of legacy cybersecurity systems in place in the vast majority of companies and agencies.

Willy Leichter & Byron Acohido

“You can swap out a DLL, just take out the library and stick in a new one,” Leichter says. “And a lot of threats are coming in through the web layer as benign data and then the interpreters actually create the executable code in the web layer, essentially weaponizing it at runtime.”

Protecting core assets

The common denominator tying these fresh vectors and vulnerabilities together is memory hacking. These are attacks that unfold only when an applications is running, in the memory of the CPU. They come and go leaving the faintest of footprints. They allow threat actors to move laterally with impunity, and achieve persistence deep inside well-defended enterprise networks.

Microsoft, supplier of the Windows operating system used ubiquitously in enterprise networks, recently disclosed that fully 70% of all security bugs pivot off what the software giant refers to as “memory safety issues.” What Virsec brings to the table, Leichter told me, is technology and guidance that orient companies toward keeping very close watch for any anomalous activity at the application level, during runtime.

“We believe strongly that organizations need to redouble their efforts to protect their core applications and core assets,” Leichter says. “Keep in mind, it’s no longer just your files sitting up there in the cloud. Your applications are running in the cloud, with thousands of software containers being turned on all over the infrastructure. So you’ve got to have a mechanism to zero in on your own assets.

“In this virtualized world, it really is all about what your application is doing while it’s running in memory, during runtime.”

Memory attacks seem destined to cause a whole lot more pain before these deep-down vectors attract the attention they deserve and get adequately addressed. I’ll keep watch.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Byron Acohido

Listen to podcast