Memory scraping malware goes after encrypted private information

What's "pervasive memory scraping" and why is it considered by SANS Institute security researchers to be among the most dangerous attack techniques likely to be used in coming the coming year?

Top 10 Web hacking Techniques of 2010 Revealed

Simply put, pervasive memory scraping is used by attackers who have gained administrative privileges to successfully get hold of personally identifiable information (PII) and other sensitive data held encrypted in a file system, according to Ed Skoudis, senior security consultant at InGuardians who is also an instructor at SANS events. Evidence of this attack is coming up again and again in data-breach cases, he said.

"Data is encrypted in a file system where it's stored," said Skoudis, who joined with Johannes Ullrich, chief research officer at SANS Technology Institute, to speak at the RSA Conference last week on dangerous attack techniques that appear to be on the rise. Though stored encrypted, the data has to be processed by some application and "if you're processing that data it will be processed in that system unencrypted," Skoudis pointed out.

Although data encryption is widely regarded as good protection for sensitive data — and may be required under regulations — attackers are probing the chinks in encryption's armor to steal it. That's done by taking advantage of the fact that to be processed, data has to be unencrypted, and attackers "go into memory and grab the crypto key" and start "fetching the PII itself from memory." One interesting aspect about this attack is that "the bad guys want to maintain the end-to-end encryption, too."

Pervasive memory scraping is not wholly new — the annual Verizon Data Breach report, for example, two years ago identified what it called a "RAM scraper" attack as something first spotted in the retail and hospitality sectors. The Verizon report described the RAM scaper as a "relatively new form of malware designed to capture data from volatile memory within a system" in order to circumvent encryption controls and "capture data in memory where it must be decrypted to be read and processed." The Verizon report at that time suggested, "The best defense is to keep remote attacks from owning the system."

One of the tools that attackers can use for pervasive memory scraping is the Metasploit Meterpreter, a software module that works with the open-source Metasploit framework. Researcher Colin Ames is credited with having done pioneering work in showing how it's possible to hunt for crypto keys, Skoudis said.

Although data-loss prevention (DLP) products and freeware can help in detecting accidental leakage of sensitive data, they may not be enough of a defense against pervasive memory scraping attacks where "the bad guys are encrypting the data and DLP can't see it," Skoudis said.

Other types of dangerous attacks expected to be on the rise were also identified. These included attack scenarios related to enterprise migration from IPv4 to IPv6. Here, attackers try to stealthily move about via IPv6 networks that enterprises may not even know are turned on in newer versions of products, while their older firewalls or intrusion-prevention systems may not be looking for IPv6 at all.

"IPads and iPhones are devices already running IPv6," said Ullrich. "There are no great tools right now to actually monitor it." IPv6 can constitute a "shadow network" that many IDS and IPS are not yet ready to observe, he added. His advice: "If you don't need it, turn off IPv6 on your router, on your host, everywhere."

In another prediction, the infamous Stuxnet malware launched against industrial control systems in Iran is also likely to be the source of inspiration in the coming year for similar attacks. Calling it "Trickle-down Stuxnet," Skoudis predicted the Stuxnet method that used a stolen signing certificate and sophisticated Windows-based exploits will inspire others to attempt something similar. In addition, Skoudis also pointed out that social networking in general, where users post a plethora of information that attackers may have access to, presents a highly attractive attack platform for the future.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags SANS Institutesecurityencryptionanti-malwaredata protection

More about DLPIPSLANLPRSASANS InstituteVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place