Fully aware of increasing investments made by companies in cybersecurity tools, threat actors constantly tweak, diversify and refine their cyberattack strategies in order to evade detection. One recent trend is an increase in steganography as an attack vector to achieve different objectives, such as masking communications or installing malware. This article explains what steganography in cybersecurity is and why cyber attackers might use this technique, as well as provides some examples of real-world incidents that relied upon steganography, plus mitigation advice.
Steganography is the practice of concealing hidden messages or other data within something ordinary that appears innocuous and isn’t itself a secret. Steganography traces its roots back to Ancient Greece, and the original Greek word translates into something like “concealed writing.”
From a cybersecurity perspective, the worry is that some threat actors could feasibly use this technique to embed malicious data within seemingly normal files. And this worry is not just a theoretical possibility; several cyberattacks in the last few years have used the technique.
But how exactly would steganography work in the context of a cyber crime? Digital images are prime targets because they contain a lot of redundant data that you can manipulate without noticeably altering how the image looks. And since their use is so commonplace in the digital landscape, image files don’t tend to raise any red flags about malicious intent. Videos, documents and audio files also offer alternative potential mediums for using steganographic techniques to plant malicious payloads.
It’s also possible to use network-based steganography and modify header fields in TCP/IP or other network protocols. By using these techniques, hackers can create hidden channels for covert communications and go undetected by network traffic analysis tools. The need for intruders to communicate covertly becomes particularly important during the command and control phase of the cyber kill chain.
Another potential use of steganography is in the data exfiltration stage of a cyberattack. By hiding sensitive data within legitimate communications, steganography provides an avenue for extracting data without being detected. With many threat actors now prizing data exfiltration as the number one objective for cyberattacks, security leaders are getting better at implementing measures to detect when data is being extracted, often by monitoring encrypted network traffic.
Since steganography requires a lot of effort and nuance to get right, its use often involves advanced threat actors with specific targets in mind.
Since steganography and cryptography both involve keeping information away from prying eyes, it’s worth briefly comparing the two. Cryptography takes a message or file and makes it unreadable using advanced cryptographic algorithms to anyone who doesn’t have the decryption key. Steganography hides information in plain sight so that an unsuspecting observer doesn’t even know there is a secret concealed in what they’re seeing.
Here are some examples of attacks within the last five years that have used steganography either alone or paired with other techniques:
In November 2020, Dutch eCommerce security platform Sansec revealed research showing threat actors had embedded skimming malware inside SVG graphics on eCommerce checkout pages. The attacks used a concealed malicious payload hidden inside SVG images and a decoder hidden separately on other parts of the webpages.
Users entering their details on the compromised checkout pages wouldn’t notice anything suspicious because the images were simple logos from well-known companies like Facebook and Google. And because the payload was contained within what appeared to be the correct use of SVG element syntax, standard security scanners searching for invalid syntax couldn’t detect the malicious activity.
The 2020 SolarWinds attack gained rapid notoriety for infiltrating the federal level of the United States government along with thousands of other organizations worldwide. This supply chain attack disguised remote access tools in seemingly legitimate updates to the Orion network monitoring software.
While there were many layers of complexity to the SolarWinds breach, steganography was used during the command and control phase to hide command data. The technique, in this case, used seemingly benign XML files served in HTTP response bodies from control servers; the command data within those files was disguised as different strings of text.
In June 2020, Kaspersky released a report about a campaign of observed and targeted attacks on industrial enterprises in several different countries. Steganographic techniques were used in this campaign after targets opened Excel email attachments that contained malicious macros. The macros ran PowerShell scripts, and one command in the script was to download selected images from public image hosting services. Each image contained further malicious data hidden in different pixels, which, upon being decoded, allowed threat actors to install trojans that enabled them to steal passwords or spy on network traffic.
One of the difficulties with combating steganography threats is that they can be very difficult to detect. Some mitigation measures include:
In the cat-and-mouse game that defines much of modern cybersecurity, threat actors will continually try to evolve their tactics and adopt different methods to achieve their goals and avoid being caught. Awareness about steganography as an attack vector ensures you’re already on the lookout for this threat.
But to truly stop hackers in their tracks, you need accelerated detection and response. In a world of overburdened security teams and a tight labor market, managed detection and response provides a proactive approach that increases your cybersecurity stance while lowering costs.
Contact the Nuspire team today to find out more about our managed security services.