Security Toolbox: Steganography - WST

Steganography, simply put, is the art of hiding information within an object. That object could be a picture, set of words, or even a piece of audio to list a few. One of the most notable examples of steganography is the ciphers used by spies in World War II. The spies sent a message that said one thing, then the intended party used a key to find the true meaning of the message. This way, if an unintended party could intercept the message, they would either be thrown off completely or not be able to ascertain any meaning from it. This proved an effective method for communication as it took the combined efforts of thousands of talented codebreakers between the U.S. and Britain to crack the German codes in World War II.

Today we can see digital steganography utilized by bad actors in hopes of penetrating networks. One such technique is Least Significant Bit (LSB) Steganography. This one is straight forward, the person hiding the information will embed the information in the least significant bits of a media file. When looking at an image file, each pixel is made up of three bytes of data corresponding to the red, green, and blue colors. Using LSB steganography, you can change the last bit of each of those bytes to hide one bit of data. What this means is that if you wanted to hide a single megabyte of data, you would need an eight-megabyte image file! Using this method, no change will be visible in the image.

One good example of digital steganography at use by bad actors was the 2020 SolarWinds attack where parts of malware were hidden in images. This attack affected organizations from the private sector all the way up to federal government agencies.

At the end of the day, digital steganography is an obfuscation method. Meaning it is used by bad actors in hopes of hiding from threat detection tools and security analysts. It is common for Antivirus to not scan non-executable file headers like images and sound files as well. So, what can you do to protect yourself from these attacks? First and most important, advise the users that this is a threat vector. Users should be wary of downloading files of any sort from unverified sources. Second, endpoint security should be evaluated and configured to do more than static signature-based detection. Dynamic behavior-based analysis is becoming more common in endpoint security and is a valuable tool when protecting the network from attacks that are not so run-of-the-mill.

Bonus: In case you missed it, there are a couple of news items of note this week:
The recently discovered MOVEit Transfer and MOVEit Cloud zero-day vulnerability has resulted in many successful attacks against organizations who use the products. If your organization uses MOVEit, and you haven’t heard anything internally about how your company was affected, make sure this news didn’t get missed. https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability, https://nvd.nist.gov/vuln/detail/CVE-2023-34362

Also, an announcement this week from Barracuda regarding the recent vulnerabilities with the Email Security Gateway (ESG) self-hosted appliance. The company says that if you were impacted by the vulnerability, “appliances must be immediately replaced regardless of patch version level.” What a headache! https://www.barracuda.com/company/legal/esg-vulnerability

Authored by: Cory Koetter, Sec+, CySA+