Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/4/2017
03:48 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Steganography Use on the Rise Among Cyber Espionage, Cybercrime Groups

At least three cyber espionage campaigns and several malware samples in recent months have employed ancient technique, Kaspersky Lab says.

In a potentially worrisome trend for enterprises, threat actors have increasingly begun using the ancient technique of steganography to conceal data theft and other malicious activity on compromised systems.

Steganography is a term that describes the practice of hiding secret text messages and other content inside other non-secret messages — like innocuous-looking blocks of text or images.

Security researchers at Kaspersky Lab this week said they have come across at least three major cyberespionage campaigns in the past few months where threat actors have used steganography to hide stolen data and to communicate with command and control servers.

In these campaigns, threat actors have exfiltrated data from victim organizations by hiding it inside the code of seemingly ordinary image or video files and sending it to C&C servers. The modifications to the images or video files are so minute that they usually have gone unnoticed and typical endpoint antimalware tools and APT tools are not designed to look for or spot data exfiltration that takes place this way.

In addition to APT campaigns, there have been several instances recently where ordinary cybercriminals have used the technique in conjunction with malware tools, such as the Zeus banking Trojan and the Shamoon disk-erasing malware. The latter trend in particular suggests that malware writers are on the verge of adopting steganography on a mass scale, Kaspersky Lab researchers said in a blog this week.

"Most modern anti-malware solutions provide little, if any, protection from steganography," said Kaspersky Lab security researchers Alexey Shulmin, Evgeniya Krylova. As a result, any "carrier" such as a digital image or a video file that can be used to conceal stolen data, or communications between a malware program and a command and control server, poses a potential threat, they said.

Krylova told Dark Reading that organizations need to pay attention to the trend.

"Although steganography was used in ancient centuries, it is still actively used today by different malware authors and APT actors," she says. "This trend has been increasing over the last several years, even though it can be detected by different security suites, using mathematical and statistical methods."

Stegcontainers — or the object in which the payload is concealed - can take multiple forms, Krylova says. For instance, Kaspersky Lab has observed threat actors using audio files, text files, and even domain names, to hide data and C&C communications.

"But the primary concern is images," she notes. In most cases, the main payload that is being concealed within these images are conversations with the command and control server, commands received from the C&C and stolen files, she says.

The only one limitation on what threat actors can or cannot hide using steganography is the size of the container, Krylova says. "This is because you won’t be able to hide a lot of information in a container without visual distortion.”

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
8/4/2017 | 4:50:55 PM
The Riga Tech University Paper
A great paper that breaks down the basics of steganography is "Development of Requirements Specification for Steganographic Systems" by Dāvids Grībermans, Andrejs Jeršovs, Pāvels Rusakovs from the Department of Applied Computer Science, Riga Technical University, Latvia.  In fact, the breakdown of Message Requirements, Container Requirements and Algorithm Requirements is quite interesting.  Additional requirements covered include Stegocontainer and Security.  Highly recommend this read for the newbie stego.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/7/2017 | 7:40:17 AM
Little to be done at present
As stated in the article, anti-malware is ineffective for infiltration that steganography can provide. Exfiltration of sensitive data will be prevalent as DLP programs have yet to review text within images and even easier, exfiltration of secret messages will be almost impossible to detect.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30477
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of replies to messages sent by outgoing webhooks to private streams meant that an outgoing webhook bot could be used to send messages to private streams that the user was not intended to be able to send messages to.
CVE-2021-30478
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the can_forge_sender permission (previously is_api_super_user) resulted in users with this permission being able to send messages appearing as if sent by a system bot, including to other organizations hosted by the sa...
CVE-2021-30479
PUBLISHED: 2021-04-15
An issue was discovered in Zulip Server before 3.4. A bug in the implementation of the all_public_streams API feature resulted in guest users being able to receive message traffic to public streams that should have been only accessible to members of the organization.
CVE-2021-30487
PUBLISHED: 2021-04-15
In the topic moving API in Zulip Server 3.x before 3.4, organization administrators were able to move messages to streams in other organizations hosted by the same Zulip installation.
CVE-2020-36288
PUBLISHED: 2021-04-15
The issue navigation and search view in Jira Server and Data Center before version 8.5.12, from version 8.6.0 before version 8.13.4, and from version 8.14.0 before version 8.15.1 allows remote attackers to inject arbitrary HTML or JavaScript via a DOM Cross-Site Scripting (XSS) vulnerability caused ...