John Stevenson by John Stevenson | | Blog

News today of LightNeuron, a highly evasive exploit, highlights the increasing use of steganography by cybercriminals.

How LightNeuron Works

Researchers have today revealed the workings of LightNeuron, a highly evasive exploit they attribute to a Russian cyberespionage group. In summary, the exploit involves the installation of a DLL onto a Microsoft Exchange server that runs as a malicious Transfer Agent extension. Using this the criminals are able to take complete control of the mail server, modifying, redirecting, blocking or deleting emails as they see fit. Rather than connecting directly with the transfer agent, the attackers send remote commands and instructions to it in PDF or JPG email attachments concealed using steganography.

Initial Compromise

Details of the way the initial compromise is achieved are hazy but installing a DLL onto an exchange server requires administrator privileges. This is likely achieved by exploiting a poorly secured exchange server using malware delivered in a Word or PDF document via email, web download or file transfer.

Customers of Deep Secure’s Content Threat Removal technology are protected from this type of infiltration technique because of the unique way that Deep Secure transforms all business content arriving at the network boundary. By extracting only the valid business information from incoming documents and images, discarding the originals and creating brand new documents and images for onward delivery that just contain the business information, the initial exploit is prevented.

Disruption the Command and Control Channel

Remote control of the malicious transfer agent is concealed using steganography. Using this technique, commands are encoded into image files and sent as PDF or JPG email attachments.  At the destination they are decoded and executed. Concealing the command and control channel using steganography is extremely effective. Done properly, the concealment of a secret using image steganography is totally undetectable and there are no obvious indicators at a network level other than the presence of emails with attachments entering the organisation.

Customers of Deep Secure’s Content Threat Removal technology benefit from the fact that command and control channels concealed using image steganography are disrupted and rendered useless because of the unique way that Deep Secure transforms every image arriving at the network boundary. The transformation process subtly changes the images leaving them looking entirely normal but destroying any secret contained within and making it impossible for them to be used to remotely control the mail server.

Deep Secure Content Threat Removal transforms every document and image that arrives at the security boundary, without trying to second guess whether it is “good” or “bad” and so provides the only effective defence against sophisticated, evasive attacks such as LightNeuron.

View all posts