Inside the Briefcase

Augmented Reality Analytics: Transforming Data Visualization

Augmented Reality Analytics: Transforming Data Visualization

Tweet Augmented reality is transforming how data is visualized...

ITBriefcase.net Membership!

ITBriefcase.net Membership!

Tweet Register as an ITBriefcase.net member to unlock exclusive...

Women in Tech Boston

Women in Tech Boston

Hear from an industry analyst and a Fortinet customer...

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

IT Briefcase Interview: Simplicity, Security, and Scale – The Future for MSPs

In this interview, JumpCloud’s Antoine Jebara, co-founder and GM...

Tips And Tricks On Getting The Most Out of VPN Services

Tips And Tricks On Getting The Most Out of VPN Services

In the wake of restrictions in access to certain...

Hiding in the Cloud

August 4, 2015 No Comments

Featured article by Ken Westin, Security Analyst for Tripwire

Researchers have detected Russian hackers operating in plain sight using the cover of legitimate services including Twitter, Github and cloud storage services to steal data from organizations during the work day. Recently, a cyber gang known as APT29 created malware called Hammertoss which is very hard to detect. Using a variety of Twitter handles daily, they are able to send commands to infected machines using images embedded with encrypted command information, these commands allow them to upload the stolen information to cloud storage services. They also infect legitimate web servers and usethem as part of their command and control infrastructure. A Hammertoss compromise to the cloud based back-end infrastructure that supports many services could result in the breach of a huge number of organizations.

This particular method of attack is pretty clever because it takes advantage of most enterprise organizations trust and white listing of well-known social media and cloud service platforms. By downloading binary images and embedding commands in the images they easily circumvent most detection mechanisms. The additional measure of encrypting the message within the image serves a double purpose of hiding the messages in the image in case it is intercepted, as well cloaking the messages in order to bypass any steganography detection tools an organization may have in place.  Encrypted data in the image makes steganography detection harder because encrypted data generally has a high degree of randomness making it much less suspicious, especially when embedded in image data.

Companies under attack from this malware would typically not be aware that their network is under attack because Hammertoss looks for a designated Twitter handle that contains a Tweet with a url and hashtag. The malware is then directed to the URL where it automatically decrypts encoded instructions from an image and then is able to steal files. Once the files have been obtained, they are exfiltrated to a cloud storage service.

The APT29 group operates out of Russia, and based on a number of factors FireEye researchers believed it to be sponsored by the Russian government. The group is clever in the way they developed this tool because its communication appears to be legitimate traffic. Many organizations utilize threat intelligence feeds to assist in the detection and blocking of known IP addresses and hosts associated with malware along with command and control infrastructure that precipitates other malicious activities. By utilizing services like Twitter and Github, this malware is able to leverage hosts and IPs that are more likely white listed by a given organization.

Organizations can protect themselves by ensuring critical infrastructure is not communicating with any of these services. A server running a critical application, for example, should not be communicating with Twitter or Github or any other cloud based service. This can be a challenge when we are looking at endpoints such as laptops or desktops being used by employees, as the goal of this particular attack method is to appear to belegitimate traffic. However, the malware itself has to be installed on the target system before it can begin its communications with these services, so organizations first and best defense is to block the installation of the malware in the first place. This is especially true for critical infrastructure; any binaries or files installed on these systems should be detected easily with file integrity monitoring and other endpoint security monitoring tools.

Once data is exfiltrated to a cloud based service it should be assumed the data is compromised. Even if you are able to get the data removed from the service it’s reasonable to assume that the data has most likely has automatically been downloaded or backed up to a different service either directly or indirectlyby the attackers.

ken

About the Author

Ken Westin is an experienced security researcher and analyst that has worked with law enforcement and journalists to uncover organized cybercrime rings with a special focus on incident detection, forensics and threat intelligence.

 

Leave a Reply

(required)

(required)


  • TOPICS

     APPLICATION INTEGRATION
     DATA and ANALYTICS 
     DIGITAL HEALTH
     SOCIAL BUSINESS
     MOBILE DATA
     DATA SECURITY
     DATA PRIVACY
     CLOUD DATA
     HR TECHNOLOGY

    • ADVERTISEMENT

    Gartner

    WomeninTech






    IT BRIEFCASE MEDIA PARTNERS
    Gartner

    IBC 365

    Gartner

    cloudexpo

    unicom

    tdwi

    World Congress

    Witi

    Broadgroup

    The Open Group

    gsmi

    tmforum