Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 218: UNDERSTANDING THE RISK OF STEGANOGRAPHY
Reference Number ACG-CSB 092021218
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Steganography is a millennia-old concept that means hiding a secret message within an ordinary-looking file that doesn't raise any suspicions. The word has Greek roots, being a combination of steganos, which translates to "concealed, protected," and graphein, which means "writing.".
APT groups, ransomware gangs, and other threat actors often hide information when attacking a target. For example, they might conceal data when exfiltrating it, cloak a malicious tool, or send instructions for command-and-control servers. They could put all this information in unassuming image, video, sound, or text files.
Steganography is one-way malicious actors fly under the radar. "We often see it being used as the initial entry point, and once the threat actors are in the network, there are more tools and code that they will use to move laterally," Jon Clay, vice president of threat intelligence at Trend Micro, says.
Frequently, the secret data is cleverly hidden inside an image by manipulating a few bits. Still, if users look at the original photo and compare it with the altered one, they can't tell the difference. To show this, researchers at Kaspersky camouflaged the first ten chapters of Nabokov's novel Lolita inside the standard image Lenna. The initial photo (Lenna.bmp) and the changed one (Lenna_stego.bmp) look exactly the same to the naked eye. Also, both files are the same size, 786,486 bytes.
Several techniques could be employed to achieve that. One of the oldest ones is the least significant bit (LSB) substitution method, which became popular during the mid-1980s. It allowed the manipulation of roughly 15% of an image by changing the least important bit of each byte, the one farthest to the right.
Various types of threat actors, from crooks to cyberespionage groups, have used steganography to conceal information. One of the first powerful malware that took advantage of these techniques was Duqu, discovered in 2011. Its makers encrypted data and embedded it into a JPEG file.
More recently, APT groups like Platinum, OceanLotus/APT32, K3chang/APT15/Mirage/Vixen Panda, and MontysThree relied on steganography for cloaking encrypted payloads or maintaining on-system persistence. Meanwhile, RedBaldKnight/Bronze Butler/Tick built tools that can create, embed, and hide executables or configuration files, and Tropic Trooper/Pirate Panda/KeyBoy masked its backdoor routines and evaded anti-malware and network perimeter detection.
Researchers at Kaspersky have also identified an APT gang they call BountyGlad, which used steganography to support multi-stage implant delivery as a part of a supply chain attack, cloaking shellcode within a PNG file used to deliver the final stage payload. "The most sophisticated APT [groups] often use the simplest steganography techniques in elegant ways," says Kurt Baumgartner, principal researcher at Kaspersky. He noticed that, for these threat actors, steganography is more than data hidden in JPEGs or BMPs.
Using steganography during an attack is relatively easy. Protecting against it is much more complicated, as threat actors are getting more innovative and more creative. "Companies should embrace modern endpoint protection technologies that go beyond static checks, basic signatures, and other outdated components as code hidden in images and other forms of obfuscation are more likely to be detected dynamically by a behavioral engine," Figueroa says.
He has two more tips for organizations and their employees: First, if an image is unusually large, it might be a clue that steganography was used. Second, companies should focus detection efforts directly at the endpoints where encryption and obfuscation are easier to detect.
All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of STEGANOGRAPHY:
- Harden software distribution procedures. Avoid software downloads from untrusted sources or untrusted software that may contain stego code embedded. Having black/white listening policies and procedures also make a hardened environment.
- Protect the network from going down with a Network partition.
- Establish firewall policies to monitor all outbound traffic. Using well configured firewalls to prevent unauthorized users from accessing the network.
- Include all malicious websites into a blacklist using proper browser security procedures to block them.
- Define email policies to prevent users from downloading attachments from unknown senders.
- Install and use security software (such as antivirus and security endpoints to verify software updates and system performance).
- Limit user privileges across the network to avoid attacks to spread on all devices. Educate and train employees in IT security. Strong passwords should be mandatory.
For additional information, please refer to the following websites:
POINT OF CONTACT