NCSC – Weekly Threat Report 11th August 2017
Steganography is becoming increasingly popular
According to the cyber security company Kaspersky Lab, steganography is becoming increasingly popular with cyber actors and is used to conceal malware, data exfiltration and for command and control (C&C) communications.
Steganography is the technique of concealing data within other, seemingly innocuous, information. In a digital context, it generally refers to hiding data within a media file. Image files are the most common, but video and text files are also used. Common ways data can be hidden in a file include altering the image’s pixels in a way indistinguishable to the human eye, or by including information in part of the file format that doesn’t impact the image’s pixels.
There are many other ways that steganography techniques are being developed by attackers. Cyber security company, Trend Micro has reported on how exploit kits are using steganography tactics to hide malvertising traffic. In this case, attackers append their malicious code at the end of an image file.
The increase in steganography as an attack vector is concerning. Although there are detection tools, they can be expensive and some are not well developed. Due to the ever increasing online social media culture where sharing videos and images is commonplace it is likely that attackers will continue to develop ways of using steganography to facilitate cyber attacks.
Cyber criminal use of cryptocurrency
Cryptocurrencies are decentralised digital cash systems. It’s the lack of a centralised institution monitoring and controlling payments that makes them attractive to criminals. Bitcoin was one of the first examples and employs pseudonymous ‘wallets’ to send and receive this digital money. It was reported this week that the Bitcoin wallets belonging to the WannaCry attackers have been emptied.
Unlike physical currency, the transaction history of Bitcoins is recorded publicly in the blockchain (the decentralized ledger which tracks and verifies transfers between wallets). Bitcoins obtained through criminal activities can therefore be identified, and many online exchanges will refuse to trade them.
Mixing services are one approach used by cyber criminals to launder their revenues. Bitcoins are sent to a trusted party who receive payments from many different clients, shuffles them around before returning them to different accounts owned by the same customers (after taking a cut for themselves). Just as money withdrawn from a bank will give you different notes from those you paid in, this leaves the criminal different Bitcoins without an apparent connection to the original crime. However, using mixing services is fraught with risk; the service provider may abscond with the payments leaving their customers out of pocket.
Although mixing services are vital to cyber criminals, they are also used by law-abiding Bitcoin users seeking to retain their anonymity, whether because of fears for their safety or a commitment to the ethos of online privacy.