What is steganography?
It consists in concealing a message within another message. It is a combination of two Greek words: “steganos”, which means covered or concealed and “graphein” that means writing. Not like cryptography (the message goes under an encrypted pattern), stego messages are hidden in plain view. This “technology” has been used for ages, like using invisible ink to hide a secret in a regular sheet of paper.
Recently, an increasing number of attacks conducted by cybercriminals have been deployed using steganography. What is more, it can be practiced within an image or any anonymous software available on the web.
In the social media world, we are used to see funny images or memes. What people don’t know and are not aware of is some of them can contain hidden commands to execute malware that can compromise their devices.
Some researchers have identified a piece of malware that responds to executable commands imbedded in a meme posted on Twitter. This two pictures detected had the “/print” command which told the malware to take screenshots from the infected device. Other commands such as “, “/clip” and “/docs” where used to get a list of running processes, steal clipboard content or filenames and folders. When an infected device views a steganographic image, the malware which is already on it, responds to the executable commands imbedded in the image. That doesn’t mean that every time you view this image it automatically infects your device. In this particular case, that command only affected devices already infected with a certain malware.
To minimize the impact from these attacks, security solutions are constantly being updated with lists of malicious IP addresses and pieces of malicious code used in malware. And this is why some hackers are using trusted websites, like they did in Twitter, and widely used technologies to execute certain steps of steganographic cyberattacks.
How to prevent steganography (or any type of attack)
If there is any suspicious image, re-check it with any image editing tool. Here are some keys to verify if it has been modified:
- Image size is larger than usual (a picture with a size in MB is unusual)
- Review EXIF data embedded in the picture (it gives technical information about the photo) Mostly, if the image is modified, this data is removed or some parts of it.
- Use a steganography tool (such as Steghide, Foremost or Stegsolve) to decode it. Sometimes, just opening the picture as a .txt file gives the decoded message.
Anyway, all IT environments can be enforced with best practices to prevent them from being affected from these types of attacks:
- Harden software distribution procedures. Avoid software downloads from untrusted sources or untrusted software that may contain stego code embedded. Having black/white listening policies and procedures also make a hardened environment.
- Protect the network from going down with a Network partition.
- Establish firewall policies to monitor all outbound traffic. Using well configured firewalls to prevent unauthorized users from accessing the network.
- Include all malicious websites into a blacklist using proper browser security procedures to block them.
- Define email policies to prevent users from downloading attachments from unknown senders.
- Install and use security software (such as antivirus and security endpoints to verify software updates and system performance).
- Limit user privileges across the network to avoid attacks to spread on all devices. Educate and train employees in IT security. Strong passwords should be mandatory.
It looks like hopeless if we are concerned about our IT environment security, but at the same time cybercriminal are becoming better, our anti-threat tools are too.
Author: Silvia Martínez