Steganography was malware before there was malware. In fact, the term dates back thousands of years and has only recently been used in cyber-circles. The word’s root is derived from the Greek word steganos, which means “covered” or “concealed.” Pre-technological generals used steganography all the time, receiving coded messages or maps buried inside other seemingly innocuous texts.

Steganography is an old trick, but hackers are great at making old things new again. We are seeing an increase in the use of hidden payloads in photos and graphics. These could be anything, from the make-you-melt photo of cuddly puppies making the rounds in the office or perhaps even more ominously, a seemingly harmless technical diagram that one of your clients needs to download. 

Steganography on the rise

ThreatPost outlined the rising dangers recently:

“Even though steganography is a low-frequency attack vector, cybercriminals have figured out how to employ it in a manner that enables them to leverage the prevalence and rapid growth of social media to deliver a malicious payload.”

With this in mind, SmarterMSP caught up with Lisa Bock, instructor in the Information Technology department at Pennsylvania College of Technology, and one of the world’s top steganography experts as it relates to cybersecurity. Bock explains why there is a sudden spike in popularity among hackers.

“Steganography is gaining in popularity as a tool for hackers because it is used to conceal data and malware in a less obvious way, especially when using a complex carrier, such as an image with a larger number of megapixels,” details Bock.

Due to its appeal and relative ease of use, hackers are now using steganography to gain unauthorized access to a system and stay undetected in it.

“Malicious uses of steganography now include the ability to get into a system and communicate with an external entity using a covert channel, such as DNS or HTTPS,” describes Bock.

Getting into a system is just one aspect. The ultimate goal is to stay in the system and extract as much unauthorized data from a system as possible.

It’s easy for an overwhelmed employee dealing with ten other tasks to succumb to the quick distraction of a photo.

“Humans have difficulty identifying steganography unless there are obvious discrepancies, such as a blocky artifact, a visual identifier that appears as blocks of black squares, or areas on the image that appear grey or devoid of color,” notes Bock.

How should MSPs combat steganography?

MSPs should use a multi-layered approach to protect against photos that might contain a hidden payload.

“In an enterprise network, the security team should employ devices such as Intrusion Detection Systems (IDS), along with vigorous email scanning that alerts personnel if it detects evidence of steganography,” recommends Bock.

In addition to using the latest technological tools, training is also another weapon.

“Companies should use Security, Education, Training, and Awareness (SETA) to train users to spot phishing emails. Social engineering is a common way to gain access into a system and steganography is a perfect way to slip by conventional threat monitoring,” advises Bock.

The malicious payloads hidden in a photo will vary depending on what the hackers are trying to accomplish.

“Steganography can conceal a variety of payloads, depending on the carrier, and the motivation. It can be used to gain access while in the system. There may be a need to communicate with an external entity, such as a command and control (C&C) system,” details Bock, adding that some hidden malware can linger and constitute a “very dangerous” APT.

So what kind of dangers lurk in Grumpy Cat or the diagram of the solar irrigation system your client needs to study?

“The carrier must be able to pass as the original and appear harmless. Using an image to conceal malware is optimal, as users are tempted to view the image,” says Bock, adding that there are hundreds of steganography algorithms today.

“Not all are used in a malicious way. However, because of the increase in its recently revived use by hackers, we must be more vigilant and increase our knowledge on this fascinating yet dangerous tool,” recommends Bock.

Photo: Imilian / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *