Many of us could have felt compelled to act when a picture of an egg was posted to a brand new Instagram account with the caption of "Let's set a world record together and get the most liked post on Instagram". The image achieved over 48 million likes in just 10 days and led some to question its purpose.
While still debatable, this clever stunt does highlight our innate love of sharing content – whether that’s to achieve a sense of belonging or to be seen as an advocate of great or fun content. This in turn underscores the immense opportunity for hackers to take advantage of our craving to share images and jump on viral trends to spread dangerous malware hidden deep within infected photos.
Steganography – it’s hard to beat
Image steganography is becoming the concealment technique of choice for cyber-criminals and is one of the most frightening and underestimated threats out there. Using steganography, secrets can be concealed in a totally innocuous-looking image file, with malicious code triggered as soon as the picture opens on a device.
Cyber-criminals can encode both the initial infection and the information it wants to steal into the pixel data of images. This entire works of Shakespeare shows how much information can be encoded behind an image and, in many cases, the file can contain dangerous attack code.
Unlike cryptography (where the secret is concealed in a jumble of letters and numbers, which at the very least suggests that something may be hidden), the very presence of a secret concealed using image steganography cannot be discerned and provides the perfect cloak of invisibility – enabling it to pass traditional defences, like anti-virus or sandboxing. Only those who encode the original secret in the file know it’s there and have the key to decode and extract what's hidden inside.
Another way of getting the picture to carry code is to construct the file so that it represents both the image and attack code. This polyformatted file makes the Instagram file look like an egg when viewed as an image, but when run as a program, has the potential to wreak havoc.
The code is unlikely to run on its own, but the attacker can now send another bit of code that’s harmless - so will escape anti-malware defences. The code can then do its worst by finding the image containing the dangerous content and launching it. So, the attacker has smuggled in the dangerous malware disguised as an egg, and then goes under the radar to trigger the main attack. We saw something similar in action at the Pyeongchang Olympics where the attack code was hidden in an image to avoid detection.
Could a picture scramble the internet?
The risks from steganography surround us. Large enterprises in particular are at risk of cyber-criminals using steganography to infiltrate their systems then exfiltrate information with monetary value, such as credit card details.
But just because consumers may not be the primary target for traditional steganography attacks, doesn’t mean that cyber-criminals won’t use viral images to disseminate their malware amongst consumers.
If a hacker is savvy enough to put the attack code in a picture of a cute baby or insightful meme, their attack code has the potential to reach a huge section of the Internet in a few days. With hyper-shared content, even just looking at the image on social media could result in the lethal code being downloaded as a cache onto the user’s device.
The attack can be written so it lies dormant until a deadline is reached, at which point 48 million devices that have opened the egg picture suddenly do the attackers bidding – wreaking havoc across the Internet – much like the combined power of IoT devices leveraged in the Mirai Botnet.
The cracks are beginning to show
History tells us that detect and protect solutions are falling short as steganography operates happily beneath the radar. If the file is interpreted as code, it’s generally impossible to determine what it will do. On this occasion, the viral egg photo does not appear to have any hidden messages triggering nefarious activity. However, I was able to encode the tale of Humpty Dumpty into the picture – and someone else could easily use the image’s same capacity to write in a dangerous attack code. In such an event, we’d probably only find out when forensically analysing how a catastrophic cyber-event occurred.
Such attacks demonstrate how we can no longer rely on detecting the threats, because we know we can’t always succeed. Instead, we must eliminate the cause by developing new prevention solutions, like Content Threat Removal, that strip any unwanted and potentially malicious data from the content, so there’s no risk of threats concealed within images using steganography entering an organisation.
The cracks are already showing in traditional solutions. The cyber-security industry must shift from detect and protect to threat elimination if it hopes to continue to secure our data, devices and networks.
This article was originally published in SC Magazine UK on 8th February 2019.
