Why a Picture Is Worth a Thousand Files
The world is a visual place. Communication with photos and short videos has now become commonplace thanks to applications like Instagram and TikTok. Photos are easily taken from accessible devices and used to share information such as events, news, and even emotions at a rate and speed unlike anything before. But what many may not realise is that photos can also be used to inconspicuously share data or carry out a cyber-attack.
The practice of concealing messages, images, or files within other messages, images, or files is called steganography. It comes from the Greek word steganos (covered) and the Latin word graphia (graphy). With the popularity of photos and images, this hacking method will likely increase and continue to see success.
It’s What You Don’t See That’s Important – The Malware Payload Threat
Remember the Magic Eye images of the 1990s? People would place a colourful image in front of their nose and slowly pull it back to reveal another image hidden in the pattern. Now imagine a hidden file inside an image, not visible to the naked eye. It might look like an innocent photo, but hidden inside is a piece of malware waiting to infiltrate a computer or network. Steganography may not be the most common form of cyber-attack, but it packs a punch when used and goes easily undetected.
Cybercriminals may embed the threat as an overlay to an image in a PowerPoint deck for example, which is triggered when the file is opened. The payload then gets to work causing damage to systems and a loss of sensitive data.
Early in September 2022 researchers identified a threat group that targeted many victims, including government entities around the world, to gain access to devices. They concealed malware used to steal information inside PNG images. They were able to do so by least significant bit (LSB) encoding to store malicious code to the LSB in the image’s pixels.
Steganography – The Data Exfiltration Threat
Malware isn’t the only angle which puts a company at risk. Steganography examples can be traced back as early as 5 BC when used as a defence tactic by Histiaeus, a Greek ruler of Miletus. Histiaeus shaved and tattooed a man’s head with messages that would go unnoticed once his hair grew back. The allies, aware of the practice, found the warning messages on the man’s scalp.
Fast forward to 2022 when an employee of General Electric was convicted of conspiracy to commit economic espionage. While this sounds like something out of a thrilling motion picture, the former employee simply used steganography to steal company secrets in files by downloading, encrypting, and hiding them in a seemingly mundane sunset photo. He used his company email address and emailed the image to his personal account. According to court documents, the whole process took less than 10 minutes.
Again, while not as common as other cyber-attacks, the very quick way it can fly under the radar is reason enough to have a security solution that protects not only from threats coming into the organisation but keeps sensitive data from being exfiltrated out.
Can Organisations Detect Steganography?
The difficulty with steganography comes from the fact that it’s almost impossible to pinpoint the threat hidden within the image. Unless a cyber security team spends hours and hours unpacking every scanned image, it can easily go undetected. And even then, it might not be possible to get to the bottom of the threat and understand who’s behind it, unless you know which tool was used to encrypt the data. Twenty years ago, there was a tool that left a distinct pattern which made it easy to detect when an image had been tampered with. Today, as criminals want these images to go undetected, it’s very unusual to find any traces of tampering.
Antivirus detection tools aren’t much use against steganography until a file gets through and starts executing. Even then, what happens if the malware is brand new and never been seen before? For many organisations, it’s too big a risk to take.
Anti-Steganography Sanitizes Photos in Milliseconds
As best practice, organisations can apply an anti-steganography feature to sanitise all images as they pass through the network over a secure email or web gateway.
Anti-steganography software removes anything hidden within the image. It does not alter the image visually, but makes it impossible for recipients to recover anything hidden inside, including malware. The process happens automatically in seconds, so the flow of business is not disrupted. By cleansing all images, the risk from steganography is mitigated and the organisation remains secure.
In summary, steganography is a highly effective method for hiding data or malware in images and has been used successfully as both a method for launching attacks and stealing company data. Given the rapid progress of technology, threat actors will continue looking for new ways to use steganography in their malicious efforts to gain value. This is something organisations need to keep in mind and prepare for.
Alyn Hockey, VP of Product Management within the Digital Risk and Email Protection Business Unit, has had an extensive career in operations and cybersecurity covering support, pre-sales, R&D and product strategy. Alyn was part of the original team that launched the MIMEsweeper range of email and web security products and now works on the next generation cloud-based products within Fortra.