Attacks/Breaches

8/4/2017
03:48 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Steganography Use on the Rise Among Cyber Espionage, Cybercrime Groups

At least three cyber espionage campaigns and several malware samples in recent months have employed ancient technique, Kaspersky Lab says.

In a potentially worrisome trend for enterprises, threat actors have increasingly begun using the ancient technique of steganography to conceal data theft and other malicious activity on compromised systems.

Steganography is a term that describes the practice of hiding secret text messages and other content inside other non-secret messages — like innocuous-looking blocks of text or images.

Security researchers at Kaspersky Lab this week said they have come across at least three major cyberespionage campaigns in the past few months where threat actors have used steganography to hide stolen data and to communicate with command and control servers.

In these campaigns, threat actors have exfiltrated data from victim organizations by hiding it inside the code of seemingly ordinary image or video files and sending it to C&C servers. The modifications to the images or video files are so minute that they usually have gone unnoticed and typical endpoint antimalware tools and APT tools are not designed to look for or spot data exfiltration that takes place this way.

In addition to APT campaigns, there have been several instances recently where ordinary cybercriminals have used the technique in conjunction with malware tools, such as the Zeus banking Trojan and the Shamoon disk-erasing malware. The latter trend in particular suggests that malware writers are on the verge of adopting steganography on a mass scale, Kaspersky Lab researchers said in a blog this week.

"Most modern anti-malware solutions provide little, if any, protection from steganography," said Kaspersky Lab security researchers Alexey Shulmin, Evgeniya Krylova. As a result, any "carrier" such as a digital image or a video file that can be used to conceal stolen data, or communications between a malware program and a command and control server, poses a potential threat, they said.

Krylova told Dark Reading that organizations need to pay attention to the trend.

"Although steganography was used in ancient centuries, it is still actively used today by different malware authors and APT actors," she says. "This trend has been increasing over the last several years, even though it can be detected by different security suites, using mathematical and statistical methods."

Stegcontainers — or the object in which the payload is concealed - can take multiple forms, Krylova says. For instance, Kaspersky Lab has observed threat actors using audio files, text files, and even domain names, to hide data and C&C communications.

"But the primary concern is images," she notes. In most cases, the main payload that is being concealed within these images are conversations with the command and control server, commands received from the C&C and stolen files, she says.

The only one limitation on what threat actors can or cannot hide using steganography is the size of the container, Krylova says. "This is because you won’t be able to hide a lot of information in a container without visual distortion.”

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/7/2017 | 7:40:17 AM
Little to be done at present
As stated in the article, anti-malware is ineffective for infiltration that steganography can provide. Exfiltration of sensitive data will be prevalent as DLP programs have yet to review text within images and even easier, exfiltration of secret messages will be almost impossible to detect.
Christian Bryant
0%
100%
Christian Bryant,
User Rank: Ninja
8/4/2017 | 4:50:55 PM
The Riga Tech University Paper
A great paper that breaks down the basics of steganography is "Development of Requirements Specification for Steganographic Systems" by Dāvids Grībermans, Andrejs Jeršovs, Pāvels Rusakovs from the Department of Applied Computer Science, Riga Technical University, Latvia.  In fact, the breakdown of Message Requirements, Container Requirements and Algorithm Requirements is quite interesting.  Additional requirements covered include Stegocontainer and Security.  Highly recommend this read for the newbie stego.
Why Cybersecurity Must Be an International Effort
Kelly Sheridan, Associate Editor, Dark Reading,  12/6/2017
NIST Releases New Cybersecurity Framework Draft
Jai Vijayan, Freelance writer,  12/6/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.