Attacks/Breaches

10/17/2014
12:30 PM
Kaushik Narayan
Kaushik Narayan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

In Plain Sight: How Cyber Criminals Exfiltrate Data Via Video

Just like Fortune 500 companies, attackers are investing in sophisticated measures that let them fly beneath the radar of conventional security.

There's always been a tension between the promise of new technology and peril from its misuse or abuse. Look at the recent iCloud breach. A technology that offers the convenience of accessing photos from any device anywhere in the world, iCloud can also be used by malicious third parties to expose your most intimate moments.

I worry about my kids using technology and how it can be abused to defame, embarrass, or bully in ways not thought possible 20 years ago. Perhaps Steve Jobs was right to limit his children's use of technology. In fact, we probably all know people at work who should have their technology use limited for their own safety. But if the risks of cloud apps and mobile devices cannot be reconciled with a healthy childhood, what makes us think they can exist in a corporation with its legal and regulatory duties? The latest evidence to the contrary is a serious breach at a Fortune 500 customer of Skyhigh Networks, the cloud security company I co-founded.

In this recent attack, criminals used popular consumer cloud video sites to remove a large volume of sensitive data without being detected by conventional security measures like the company's intrusion prevention system. What's new is the sophistication used by the attackers to avoid detection; just as companies have invested heavily in technology to detect and stop breaches, so have attackers become smarter about removing data.

Devilishly clever 
It all started when the company saw an automated alert showing multiple uploads to a video sharing site of identical file sizes. Working with their security team, we discovered attackers were packaging sensitive data into video files and uploading them to a public site where they could be viewed and downloaded. This is a devilishly clever way to steal a lot of data without being detected.

Why? If you want to exfiltrate data from a company, the cloud is a great way to do this undetected since the traffic would appear normal to anyone viewing the company's egress device logs. However, if you want to steal a large volume of data, it's best not to use cloud services like Twitter because even a prolific Twitter user is not likely to send more than 500 tweets per day.

Video sharing sites are the ideal way to steal a lot of data. First off, they're allowed by many companies because they have a legitimate business use. Marketing departments use sites like YouTube and Vimeo to promote the company, while other sites have training videos employees need to be productive. Second, since video files tend to be very large, it's not unusual to see a large file uploaded to one.

In this attack, once hackers gained access to sensitive data stored by the company on the network, they split the data into compressed files of identical sizes, similar to how the RAR archive format transforms a single large archive into several smaller segments. Next, they encrypted this data and wrapped each compressed file with a video file. In doing so, they made the original data unreadable and further obscured it by hiding it inside a video file, a file format where it's not unusual to see multi-gigabyte file sizes. The video files containing stolen data played normally. What was unusual is that each file was an identical size, which is anomalous since encoded videos are usually not the exact same file size.

The attackers then uploaded the videos containing stolen data to a consumer video sharing site. While they're large files, it's not unusual for users to upload video files to these types of sites. However it is unusual to see multiple uploads of identical sizes. If anyone checked, the videos would play normally on the site as well. After the videos were on the site, the attackers presumably downloaded the videos and performed the reverse operation, unpacking each segment of data from the videos and reassembling them to arrive at the original dataset containing the sensitive data they sought to steal. All of this went undetected by the company's array of perimeter defenses and intrusion detection systems.

There's no silver bullet for stopping this type of attack. The standard measures apply: employ a multi-layered security approach that includes network defenses, strong passwords, intrusion detection, and multi-factor authentication to protect sensitive data. The biggest challenge is in detection because identifying these types of data exfiltration events requires manually inspecting uploads to cloud video services -- and even then, this attack was pretty well obfuscated.

Of course, like an over-protective parent, you could block all video services for all but a limited number of employees. But this ignores the fact that people are creative and will eventually find a work around -- as will the attackers.

Bottom line: we are in a guerilla war against an insurgency we are likely never going to totally defeat. This novel data exfiltration technique using video marks an escalation in the conflict as ever more sophisticated attackers adopt the same tools that drive productivity and growth in the corporate world to steal its most sensitive assets.

Kaushik Narayan is a co-founder and CTO at Skyhigh Networks, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class products. He has been ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
cvrcak
50%
50%
cvrcak,
User Rank: Apprentice
10/22/2014 | 10:52:49 AM
Re: a legitimate reason to upload?
Really, pretty much every video site? Wow. I'd love to see a report of reserach or study that shows the actual percentage p can you post the link or point in the right direction? This is incredibly interesting as they must be really good in determining that the content is indeed hidden or is malware. I am very curious to understand how would an information, like the stolen data in the article, packed in smaller chunks of data and possibly processed further, be with certanty detected as an unallowed hidden content packed into a video file, and all of that on pretty much every video site. Wow, again.
K_Narayan
50%
50%
K_Narayan,
User Rank: Author
10/21/2014 | 10:24:54 PM
Re: How did they get in?

Robert, all I can say about the way they got in is that their access also went undetected, but that could be an entirely separate article! 

K_Narayan
50%
50%
K_Narayan,
User Rank: Author
10/21/2014 | 10:22:20 PM
Re: a legitimate reason to upload?

I think what's needed in the industry, and you've touched on it Ulf, is a "read only" mode for cloud providers such that a user can login and download data but cannot upload data to that same service. It's just not possible politically in many organizations to block access outright to many of these services.

K_Narayan
50%
50%
K_Narayan,
User Rank: Author
10/21/2014 | 10:20:40 PM
Re: Take a data centric approach to security

Absolutely, companies are increasingly discovering new malware variants based on unusual access patterns, rather than traditional AV. As an example, a company found 100,000 tweets coming from one machine in a day. That PC was infected and exfiltrating data 140 characters at a time to a private Twitter account. 

eltorito
50%
50%
eltorito,
User Rank: Apprentice
10/21/2014 | 7:11:14 PM
Re: a legitimate reason to upload?
Well, the post is cooked up nonsense.  Pretty much every video site scans uploaded videos for hidden content and malware before acceptance.  

 
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
10/20/2014 | 9:21:39 AM
a legitimate reason to upload?
"Marketing departments use sites like YouTube and Vimeo to promote the company, while other sites have training videos employees need to be productive." It seems that only marketing dept would be in business of uploading vidoes. All others, will only download.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
10/19/2014 | 1:34:44 PM
Re: How did they get in?
Lack of layers in security measures and most likely lack of encrypting data at rest. It should not be easier to go further in the layers, is should get harder actually and that means IDS/IPS, secure servers and then encryption in the data at rest.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
10/19/2014 | 1:28:50 PM
Re: Take a data centric approach to security
I agree mainly. It is really strange that a few recent attacks is because of lack of simple measures such as strong passwords and sharing admin privileges. A simple layered security measure would easily prevent from those attacks.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
10/19/2014 | 1:24:28 PM
Photos and videos not yours in cloud
I am a little bias when I hear breach to videos and photos and that being a big issue. I do not know why would anybody take a picture or make a video that can not be shared and then share it with the cloud. Solution is simple, stop taking pictures or making videos you can not share. Or just do not make a big deal out of it when it is compromised and shared with others.
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
10/18/2014 | 8:00:57 AM
Take a data centric approach to security
I agree that "attackers are investing in sophisticated measures that let them fly beneath the radar of conventional security."

I'm concerned that major recent breaches involved new forms of malware that may be undetectable by current antivirus systems. Malware tries to hide from its victims. Sophisticated malware can be difficult to detect and may even be signed by trusted (stolen) certificates. Signed malware, which poses as approved legitimate software, continues to set record growth.

Even if the malware is detected it could be hard to notice in the noise from state of the art malware detection systems. McAfee Labs researchers have analyzed the threats and seen a steady growth in malware.

I think it is time to take a data centric approach to security. We should analyze data access patterns, but even more importantly, secure the sensitive data itself with modern data security approaches. Recent studies reported that modern data tokenization can cut security incidents by 50 %. 

Ulf Mattsson, CTO Protegrity
Page 1 / 2   >   >>
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...