SANS is reporting that “pervasive memory scraping” malware is to become one of the most dangerous attack techniques likely to be used this year. Pervasive memory scraping is a technique used by attackers who have gained administrative privileges on a computer in order to access encrypted data. Evidence of this type of attack is appearing more often in new data breach cases.
Encryption is often touted as a quick and fairly easy solution to many privacy and confidentiality concerns and is a requirement of some regulations such as PCI, however encrypted data must be unencrypted in order to be viewed, used and processed. In order to do this, the computer copies the encrypted data out to memory. If the data set is large enough, it could also be written to temporary files. Once the application that unencrypted the data is closed, there is the potential for leaving these remnants behind, at least for some period of time, unencrypted and unprotected. Memory scraping malware takes advantage of these lapses and harvests the unencrypted data.
Memory scraping itself is not entirely new. I have heard it discussed by researchers and presenters as early as 2006/2007. 2 years ago, it appeared in a Verizon Annual Data Breach Report under the name “RAM Scraper Attack”.
Metasploit Meterpreter is a software module that works with the open source Metasploit framework in order to “test” memory scraping. Although data loss prevention (DLP) products can help in detecting accidental leakage, they may not work as a defence against attacks that are re-encrypting the scraped data. The DLP product can not unencrypt and examine the content. This is why I recommend making encrypted data traversing the network, or at least leaving the network, a red-flag event on DLP rule sets. Managed carefully, this event should trigger a log and warn event, and could trigger a block event if it is coming from a system that is not expected and approved to perform this action.