Hiding in the Cloud
August 4, 2015 No CommentsFeatured article by Ken Westin, Security Analyst for Tripwire
Researchers have detected Russian hackers operating in plain sight using the cover of legitimate services including Twitter, Github and cloud storage services to steal data from organizations during the work day. Recently, a cyber gang known as APT29 created malware called Hammertoss which is very hard to detect. Using a variety of Twitter handles daily, they are able to send commands to infected machines using images embedded with encrypted command information, these commands allow them to upload the stolen information to cloud storage services. They also infect legitimate web servers and usethem as part of their command and control infrastructure. A Hammertoss compromise to the cloud based back-end infrastructure that supports many services could result in the breach of a huge number of organizations.
This particular method of attack is pretty clever because it takes advantage of most enterprise organizations trust and white listing of well-known social media and cloud service platforms. By downloading binary images and embedding commands in the images they easily circumvent most detection mechanisms. The additional measure of encrypting the message within the image serves a double purpose of hiding the messages in the image in case it is intercepted, as well cloaking the messages in order to bypass any steganography detection tools an organization may have in place. Encrypted data in the image makes steganography detection harder because encrypted data generally has a high degree of randomness making it much less suspicious, especially when embedded in image data.
Companies under attack from this malware would typically not be aware that their network is under attack because Hammertoss looks for a designated Twitter handle that contains a Tweet with a url and hashtag. The malware is then directed to the URL where it automatically decrypts encoded instructions from an image and then is able to steal files. Once the files have been obtained, they are exfiltrated to a cloud storage service.
The APT29 group operates out of Russia, and based on a number of factors FireEye researchers believed it to be sponsored by the Russian government. The group is clever in the way they developed this tool because its communication appears to be legitimate traffic. Many organizations utilize threat intelligence feeds to assist in the detection and blocking of known IP addresses and hosts associated with malware along with command and control infrastructure that precipitates other malicious activities. By utilizing services like Twitter and Github, this malware is able to leverage hosts and IPs that are more likely white listed by a given organization.
Organizations can protect themselves by ensuring critical infrastructure is not communicating with any of these services. A server running a critical application, for example, should not be communicating with Twitter or Github or any other cloud based service. This can be a challenge when we are looking at endpoints such as laptops or desktops being used by employees, as the goal of this particular attack method is to appear to belegitimate traffic. However, the malware itself has to be installed on the target system before it can begin its communications with these services, so organizations first and best defense is to block the installation of the malware in the first place. This is especially true for critical infrastructure; any binaries or files installed on these systems should be detected easily with file integrity monitoring and other endpoint security monitoring tools.
Once data is exfiltrated to a cloud based service it should be assumed the data is compromised. Even if you are able to get the data removed from the service it’s reasonable to assume that the data has most likely has automatically been downloaded or backed up to a different service either directly or indirectlyby the attackers.
About the Author
Ken Westin is an experienced security researcher and analyst that has worked with law enforcement and journalists to uncover organized cybercrime rings with a special focus on incident detection, forensics and threat intelligence.