Attacks/Breaches

8/4/2017
03:48 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Steganography Use on the Rise Among Cyber Espionage, Cybercrime Groups

At least three cyber espionage campaigns and several malware samples in recent months have employed ancient technique, Kaspersky Lab says.

In a potentially worrisome trend for enterprises, threat actors have increasingly begun using the ancient technique of steganography to conceal data theft and other malicious activity on compromised systems.

Steganography is a term that describes the practice of hiding secret text messages and other content inside other non-secret messages — like innocuous-looking blocks of text or images.

Security researchers at Kaspersky Lab this week said they have come across at least three major cyberespionage campaigns in the past few months where threat actors have used steganography to hide stolen data and to communicate with command and control servers.

In these campaigns, threat actors have exfiltrated data from victim organizations by hiding it inside the code of seemingly ordinary image or video files and sending it to C&C servers. The modifications to the images or video files are so minute that they usually have gone unnoticed and typical endpoint antimalware tools and APT tools are not designed to look for or spot data exfiltration that takes place this way.

In addition to APT campaigns, there have been several instances recently where ordinary cybercriminals have used the technique in conjunction with malware tools, such as the Zeus banking Trojan and the Shamoon disk-erasing malware. The latter trend in particular suggests that malware writers are on the verge of adopting steganography on a mass scale, Kaspersky Lab researchers said in a blog this week.

"Most modern anti-malware solutions provide little, if any, protection from steganography," said Kaspersky Lab security researchers Alexey Shulmin, Evgeniya Krylova. As a result, any "carrier" such as a digital image or a video file that can be used to conceal stolen data, or communications between a malware program and a command and control server, poses a potential threat, they said.

Krylova told Dark Reading that organizations need to pay attention to the trend.

"Although steganography was used in ancient centuries, it is still actively used today by different malware authors and APT actors," she says. "This trend has been increasing over the last several years, even though it can be detected by different security suites, using mathematical and statistical methods."

Stegcontainers — or the object in which the payload is concealed - can take multiple forms, Krylova says. For instance, Kaspersky Lab has observed threat actors using audio files, text files, and even domain names, to hide data and C&C communications.

"But the primary concern is images," she notes. In most cases, the main payload that is being concealed within these images are conversations with the command and control server, commands received from the C&C and stolen files, she says.

The only one limitation on what threat actors can or cannot hide using steganography is the size of the container, Krylova says. "This is because you won’t be able to hide a lot of information in a container without visual distortion.”

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/7/2017 | 7:40:17 AM
Little to be done at present
As stated in the article, anti-malware is ineffective for infiltration that steganography can provide. Exfiltration of sensitive data will be prevalent as DLP programs have yet to review text within images and even easier, exfiltration of secret messages will be almost impossible to detect.
No SOPA
0%
100%
No SOPA,
User Rank: Ninja
8/4/2017 | 4:50:55 PM
The Riga Tech University Paper
A great paper that breaks down the basics of steganography is "Development of Requirements Specification for Steganographic Systems" by Dāvids Grībermans, Andrejs Jeršovs, Pāvels Rusakovs from the Department of Applied Computer Science, Riga Technical University, Latvia.  In fact, the breakdown of Message Requirements, Container Requirements and Algorithm Requirements is quite interesting.  Additional requirements covered include Stegocontainer and Security.  Highly recommend this read for the newbie stego.
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
Good Times in Security Come When You Least Expect Them
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  10/23/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.