Attacks/Breaches

10/17/2014
12:30 PM
Kaushik Narayan
Kaushik Narayan
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

In Plain Sight: How Cyber Criminals Exfiltrate Data Via Video

Just like Fortune 500 companies, attackers are investing in sophisticated measures that let them fly beneath the radar of conventional security.

There's always been a tension between the promise of new technology and peril from its misuse or abuse. Look at the recent iCloud breach. A technology that offers the convenience of accessing photos from any device anywhere in the world, iCloud can also be used by malicious third parties to expose your most intimate moments.

I worry about my kids using technology and how it can be abused to defame, embarrass, or bully in ways not thought possible 20 years ago. Perhaps Steve Jobs was right to limit his children's use of technology. In fact, we probably all know people at work who should have their technology use limited for their own safety. But if the risks of cloud apps and mobile devices cannot be reconciled with a healthy childhood, what makes us think they can exist in a corporation with its legal and regulatory duties? The latest evidence to the contrary is a serious breach at a Fortune 500 customer of Skyhigh Networks, the cloud security company I co-founded.

In this recent attack, criminals used popular consumer cloud video sites to remove a large volume of sensitive data without being detected by conventional security measures like the company's intrusion prevention system. What's new is the sophistication used by the attackers to avoid detection; just as companies have invested heavily in technology to detect and stop breaches, so have attackers become smarter about removing data.

Devilishly clever 
It all started when the company saw an automated alert showing multiple uploads to a video sharing site of identical file sizes. Working with their security team, we discovered attackers were packaging sensitive data into video files and uploading them to a public site where they could be viewed and downloaded. This is a devilishly clever way to steal a lot of data without being detected.

Why? If you want to exfiltrate data from a company, the cloud is a great way to do this undetected since the traffic would appear normal to anyone viewing the company's egress device logs. However, if you want to steal a large volume of data, it's best not to use cloud services like Twitter because even a prolific Twitter user is not likely to send more than 500 tweets per day.

Video sharing sites are the ideal way to steal a lot of data. First off, they're allowed by many companies because they have a legitimate business use. Marketing departments use sites like YouTube and Vimeo to promote the company, while other sites have training videos employees need to be productive. Second, since video files tend to be very large, it's not unusual to see a large file uploaded to one.

In this attack, once hackers gained access to sensitive data stored by the company on the network, they split the data into compressed files of identical sizes, similar to how the RAR archive format transforms a single large archive into several smaller segments. Next, they encrypted this data and wrapped each compressed file with a video file. In doing so, they made the original data unreadable and further obscured it by hiding it inside a video file, a file format where it's not unusual to see multi-gigabyte file sizes. The video files containing stolen data played normally. What was unusual is that each file was an identical size, which is anomalous since encoded videos are usually not the exact same file size.

The attackers then uploaded the videos containing stolen data to a consumer video sharing site. While they're large files, it's not unusual for users to upload video files to these types of sites. However it is unusual to see multiple uploads of identical sizes. If anyone checked, the videos would play normally on the site as well. After the videos were on the site, the attackers presumably downloaded the videos and performed the reverse operation, unpacking each segment of data from the videos and reassembling them to arrive at the original dataset containing the sensitive data they sought to steal. All of this went undetected by the company's array of perimeter defenses and intrusion detection systems.

There's no silver bullet for stopping this type of attack. The standard measures apply: employ a multi-layered security approach that includes network defenses, strong passwords, intrusion detection, and multi-factor authentication to protect sensitive data. The biggest challenge is in detection because identifying these types of data exfiltration events requires manually inspecting uploads to cloud video services -- and even then, this attack was pretty well obfuscated.

Of course, like an over-protective parent, you could block all video services for all but a limited number of employees. But this ignores the fact that people are creative and will eventually find a work around -- as will the attackers.

Bottom line: we are in a guerilla war against an insurgency we are likely never going to totally defeat. This novel data exfiltration technique using video marks an escalation in the conflict as ever more sophisticated attackers adopt the same tools that drive productivity and growth in the corporate world to steal its most sensitive assets.

Kaushik Narayan is a co-founder and CTO at Skyhigh Networks, where he is responsible for Skyhigh's technology vision and software architecture. He brings over 18 years of experience driving technology and architecture strategy for enterprise-class products. He has been ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
cvrcak
50%
50%
cvrcak,
User Rank: Apprentice
10/22/2014 | 10:52:49 AM
Re: a legitimate reason to upload?
Really, pretty much every video site? Wow. I'd love to see a report of reserach or study that shows the actual percentage p can you post the link or point in the right direction? This is incredibly interesting as they must be really good in determining that the content is indeed hidden or is malware. I am very curious to understand how would an information, like the stolen data in the article, packed in smaller chunks of data and possibly processed further, be with certanty detected as an unallowed hidden content packed into a video file, and all of that on pretty much every video site. Wow, again.
K_Narayan
50%
50%
K_Narayan,
User Rank: Author
10/21/2014 | 10:24:54 PM
Re: How did they get in?

Robert, all I can say about the way they got in is that their access also went undetected, but that could be an entirely separate article! 

K_Narayan
50%
50%
K_Narayan,
User Rank: Author
10/21/2014 | 10:22:20 PM
Re: a legitimate reason to upload?

I think what's needed in the industry, and you've touched on it Ulf, is a "read only" mode for cloud providers such that a user can login and download data but cannot upload data to that same service. It's just not possible politically in many organizations to block access outright to many of these services.

K_Narayan
50%
50%
K_Narayan,
User Rank: Author
10/21/2014 | 10:20:40 PM
Re: Take a data centric approach to security

Absolutely, companies are increasingly discovering new malware variants based on unusual access patterns, rather than traditional AV. As an example, a company found 100,000 tweets coming from one machine in a day. That PC was infected and exfiltrating data 140 characters at a time to a private Twitter account. 

eltorito
50%
50%
eltorito,
User Rank: Apprentice
10/21/2014 | 7:11:14 PM
Re: a legitimate reason to upload?
Well, the post is cooked up nonsense.  Pretty much every video site scans uploaded videos for hidden content and malware before acceptance.  

 
prospecttoreza
50%
50%
prospecttoreza,
User Rank: Strategist
10/20/2014 | 9:21:39 AM
a legitimate reason to upload?
"Marketing departments use sites like YouTube and Vimeo to promote the company, while other sites have training videos employees need to be productive." It seems that only marketing dept would be in business of uploading vidoes. All others, will only download.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
10/19/2014 | 1:34:44 PM
Re: How did they get in?
Lack of layers in security measures and most likely lack of encrypting data at rest. It should not be easier to go further in the layers, is should get harder actually and that means IDS/IPS, secure servers and then encryption in the data at rest.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
10/19/2014 | 1:28:50 PM
Re: Take a data centric approach to security
I agree mainly. It is really strange that a few recent attacks is because of lack of simple measures such as strong passwords and sharing admin privileges. A simple layered security measure would easily prevent from those attacks.
Dr.T
0%
100%
Dr.T,
User Rank: Ninja
10/19/2014 | 1:24:28 PM
Photos and videos not yours in cloud
I am a little bias when I hear breach to videos and photos and that being a big issue. I do not know why would anybody take a picture or make a video that can not be shared and then share it with the cloud. Solution is simple, stop taking pictures or making videos you can not share. Or just do not make a big deal out of it when it is compromised and shared with others.
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
10/18/2014 | 8:00:57 AM
Take a data centric approach to security
I agree that "attackers are investing in sophisticated measures that let them fly beneath the radar of conventional security."

I'm concerned that major recent breaches involved new forms of malware that may be undetectable by current antivirus systems. Malware tries to hide from its victims. Sophisticated malware can be difficult to detect and may even be signed by trusted (stolen) certificates. Signed malware, which poses as approved legitimate software, continues to set record growth.

Even if the malware is detected it could be hard to notice in the noise from state of the art malware detection systems. McAfee Labs researchers have analyzed the threats and seen a steady growth in malware.

I think it is time to take a data centric approach to security. We should analyze data access patterns, but even more importantly, secure the sensitive data itself with modern data security approaches. Recent studies reported that modern data tokenization can cut security incidents by 50 %. 

Ulf Mattsson, CTO Protegrity
Page 1 / 2   >   >>
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.