Steganography and OT Cyber Campaigns

okay apparently we're live and i can't see it but uh hi everybody uh this is uh jacob benjamin with stenography steganography i knew i'd screw that up i told you i'd screw that up in ot it's our campaigns oh yours buddy thanks uh hello everyone yeah like like i said my name is jacob benjamin i'm going to talk to you about steganography and how it can be used in part with uh ot cyber campaigns so campaigns specifically against operational technology such as those in critical infrastructure so it's just a little bit about myself so i do i work for dragos i am a principal industrial consultant so for critical infrastructure we go in and we

do uh architecture reviews pen tests and things like that i previously worked for inl as well as duke energy and i've got some research areas here you can see that i've done some steganography research and stuff in the past so the purpose of this uh is so i'm going to talk about some research that i did while i was at the university of idaho as well as a practical implementation of the technique that i did on a pen test while working for dragos and so i'll also briefly cover some mitigations and detections uh for steganography so um specifically we're gonna evaluate so the research that i did was uh evaluating the effectiveness of opswat uh

kiosks and uh and other antivirus solutions against steganography and then uh we did it on some live systems as well so i'll talk more about that in a second here but first we'll talk about uh what is steganography so steganography is uh hiding or embedding secret data uh into a medium like a file that should be benign but is now hiding malicious things or just hidden things so typically this looks like multimedia containers such as videos audio files network packets and then most commonly images and so um if you're if you're thinking about technical goals here you could look at like uh this is used for like defense evasion if you're fluent in like the

miter attack kind of language so you're looking at like how can i uh a fade evade defenses you might use it for command and control and it can also be used uh you know just as obfuscation uh you know so you're hiding data and not maybe you're you want to hide your malicious payload or something like that so often time oftentimes steganography gets confused with encryption and that's because they're they're both kind of used for private communications but the concepts are actually quite different so encryption is used to communicate privately by obscuring the message and so you know nobody can see them or they can see the message but it's all scrambled right whereas steganography is is about covert

communication and it doesn't obscure the message so much as it obscures the communication itself um so some common like use cases for steganography uh well when in the past when i was doing some uh some work uh well so the most legitimate use for digital steganography is like watermarks when you're looking at like uh videos or images and stuff to combat like intellectual property piracy uh one of the more nefarious uses for steganography uh it's very common in like uh child pornography rings for uh hiding uh illicit images and then um it's also it's used with uh like espionage so and there's some common cases with that like in uh in 2010 there were some

russian spies that were that were caught using image steganography for their covert communications back and then even just uh recently there was a an advanced persistent threat called ocean lotus and they used uh steganography to conceal their malware payloads and so basically steganography allows like a seemingly innocuous file you know it could be a picture of an animal or a landscape or in this case the mona lisa and um you you look at images and and they're filled with uh other data but it's important to realize that it's not just images and videos and things you can do this with textual data you can do it with voip data all those kinds of things so

let's see next slide okay so a common question is like okay so how does this work well the answer is it depends on the medium that's used and so i'm going to focus a little bit on image steganography for two reasons first because it's the most common form of steganography and then second because it's what i used to evade both the opswat kiosk as well as the antivirus on the gas control networks that i was pin testing so if you look here at the slide i've got some colors and they're represented represented in red green blue values you see the numbers here and then those numbers can be represented as uh bytes so you'll see you'll see them across

there right and so i picked out the uh the teal looking color here and i've got its red green blue values and then i've got i took the uh the last one the blue value here you'll see that i've got it split up across its byte values so and what seganography does is it takes well in this case we'll talk about least significant bit steganography so um so this is important because if i change the least significant bit you you're not going to notice it'll have a very small impact on the final value um you know if i was to change that first one it would you know the color would be completely different but if i'm

changing the last one it's not that different so you see here i take the least significant bit and i say it was a one and i change it to a zero you know that changes the color to this it's not that much different so it doesn't look particularly strange it doesn't you know um and so you get roughly about 1 8 the size of the image or that you're hiding in that you can embed your data into and in my case we embedded various types of malware so here we'll talk about the the research i did with the university of idaho so um i i was really targeting these opswat kiosks and so this is really

common uh among the nuclear industry where i have a lot of uh experience in and so these were used to scan the portable media that come in and out of the the facilities it's almost like a single point of failure like anything that uh is going to get used on a system via like a laptop or a usb or something it has to get scanned with these kiosks right and so if i put on my attacker hat and i'm thinking about like okay i've got some malware that i've gotta put on there it's gonna get scanned by this kiosk i have to be able to evade this kiosk and so so you know and and you have to

remember too that the nuclear industry has done like significant work to make it very difficult to attack these facilities right so they've implemented like uh data diodes which are like very effective firewalls uh you know they're one-way communication so it really stops some of those kinds of attacks they do like wireless sweeps they've got um validated suppliers and things to help with the supply chain attack vector you know their physical security is is through the roof and so really when i'm looking at those like kind of attack vectors i'm like okay the portable media is the most uh vulnerable at least in my mind maybe supply chain but other than supply chain portable media is like where i'm kind of

thinking of and uh and so i was like let me be able to evade that and so if you're not familiar with these kiosks they they have like anywhere between four and 64 antivirus engines and they um they scan they scan the usb from hour and then let you know what's happening right and so uh so i was like let me go ahead and try to see if we can exploit that okay and so what i did here is i took the e-car test file and so if you're not familiar with e-car it's uh the european institute for computer anti-virus research and they came up with a file that universally other than malwarebytes for whatever

reason malwarebytes doesn't agree but every other antivirus in the world says this file is malicious even though it's not and it's just you so you can test it right and so i took this file and i uh so here's a little little bit about the experiment here so i took this file and i scanned it like just the normal ecar test file and the opswatkios says yeah hey that's infected and that's the correct result and so then i took the image and embedded like uh the e-card test file in it using steganography and the result said no there's nothing wrong with it it's clearly fine right and then i scan just the image without the thing in it and it

says it's clean right and so i do this as well with virus total so not just the kiosk and so you can see that the the effect was the same and so the problem isn't necessarily with uh with with with the kiosks themselves but with the way that antivirus software works the antivirus software is not able to accurately pick out this steganographic files and so you can see here yeah it does it detects it when it's in its unhidden state but when it's in its hidden state it doesn't detect it and so and then later while i was uh working with dragos i was on a pen test on a gas control network and so here we were we're part of an overall

campaign right and so we're we're going through our privilege escalation and we're thinking like okay we we have access here but we want to we want to we want to run something like mimi cats but mimi cats is uh is going to get blocked by the antivirus so how are we going to get it across there and so i used a different kind of oh and i guess i should have said that before so the image secondography i used for opswa i used a tool called lsb stego it's just a python library and then for this one we used uh invoke ps image which is it's on github and you can embed uh powershell scripts inside of images and

then extract them via powershell with a very simple one-line command so uh it's very easy you don't have to bring over another script you don't have to bring over another executable to extract the payload you can just run this quick one-liner in the in the powershell and bring it out and so we were able to do this on the gas control network and then run mimikatz and get domain admin and so and then obviously it wasn't you know it's a part of an overall campaign you know because you can see on the network drawing here i'm running it from like an hmi pretty deep into the environment so you have to you know i'm not saying like

steganography is a silver you know is an ultimate weapon and i can from the outside it can somehow get inside so no it's got to be part of an overall campaign where you've you've moved through or you've come in through usb you know so in that op slot scenario i'm coming in usb but in this scenario we came through pivoting across the network progressively getting more and more progressively getting more advanced into the network until we we have this thing sorry about that and um yeah and so you can see here a couple of things that we used you can see here i uploaded the image to virustotal and none of the antiviruses picked up on it and so we were able to

extract it and run it okay and so when we talk about okay so is this a credible threat uh you know cigarettography is very niche thing you know antivirus isn't detecting it what can i do about it as an asset owner is it something that i really care about are people using it and so this is a very valid question right because it's very difficult to like oh so now i've got to go buy steganography detection software or something and that's not what i'm saying at all it is a credible threat and you know steganography can be used by adversaries to evade uh antivirus and network monitoring and things like that but um but defense is doable there are

very simple mitigations that can be done and detections that that don't require having sophisticated steganography detection tools right and so if you it could be very simple as like so you know if you look here as well so we so at dragos we track several uh threat activity groups and so none of these uh ics based threat activity groups have been shown to use steganography so so at this point i wouldn't rank segregate as a very high threat to the ot new world i just want to kind of highlight that it's a possibility that this could be used in an overall campaign we've seen it in non-ics threat campaigns but uh not in ics related ones

i think i skipped yeah here it is i skipped some slides here um so like some of the best things that you can do here is so you know the op slot kiosk can be configured to block images so when you're thinking about it it's like okay does my operational network does my nuclear plant do i really need to load images onto this plant what use case do i have to have images and so if i just block images that i mean that stops like 90 of steganography and i don't even need detection now um you know and you know and opswat can also do some some fancy copying of the files over as well and so

if you look at like compression so in some cases compression can be used to uh to remove forms of steganography it depends if you use like a loss a lossless compression or a lossy compression so lossless it's not going to break it but lossy compression will will probably break most of the payloads in there and so and in most cases uh scripts or executables or something is going to be required to extract the malware from the image or the other medium so this is talking like powershell python java and i then it's harder for me as an attacker to extract my payload and get it by but in the case that we were at powershell was not blocked

and so um and so another point i have here is you know just using like known good files in your ot just like basic hygiene right so if you're only introducing files that you know are good then you can prevent something like that so i'm going to prevent scripts i'm going to prevent images that i don't have an explicit use for like um and if you're looking for like c2 kind of traffic so like in the case of like malware that reaches out to a server and tries to extract malicious code via an image download like you know the the code is hidden in the an image that's hosted externally you can still see that traffic on your

network monitoring so you should say hey let's strange i'm reaching out to a new website you know it's like oh i'm reaching out to the website downloading an image that might not be strange but the fact that it's a new website from like an hmi that's really interesting and i would certainly want an alert on that um there are also there are endpoint tools you can get that are detectorgraphy i wouldn't say you need to go put them out there um there are lots of other like basic hygiene things you can do instead but there are tools like stag detect and stag expose and stego hunt and things like that that can detect some of these types

of files and so like if i was building detections in i would say yeah i want alerts anytime somebody's running like a powershell script a perl script uh python things like that um you know there's also the option here i have passive analysis you could if you if you're capturing network traffic you could um you know extract files out of pcapps and then load them into like endpoint tools like stego detect or 700 something like that to try to identify it and in that case i would really only see that if you're kind of like in the incident response like something's happened and then you're responding to it and they're like well i've got these ptap

coverage let's look and see what what the actual instructions were oops sorry about that i can't seem to switch my slide okay so so in the end here i just kind of want to summarize by saying you know it can be used for adversaries to evade defenses um you know and that and that's then that can be kind of scary however defense is very doable you don't have to come it's you know this isn't a zero day this isn't something everyone should go freak out and worry about but it's something they should think about and it's another reason to do some very basic hygiene things like think about files before you put them on your

operational network uh you know should i do like integrity checks and hashing and things like that and so i just wanted to highlight this this niche evasion technique not because i wanted to scare people but just sort of like an awareness right and um and it's it is a little scary because it's very easy to use the tools are free they're out there on the internet they're very easy to use and they bypass most traditional protections and detection mechanisms so it's just something to think about and i you know and i was able to use it in just a real life scenario fairly easily and and with that that's the end of my presentation i can take any questions

i'm not sure if there's time because we kind of started late on one but let's one question um the hacking lab asks with things being shared on teams and sharepoint is there a worry or anything regarding height uh regarding hiding some type of payload in a meme i mean certainly right uh so memes are like uh uh are a treasure trove of hiding things like that was i i don't remember all the details but there was one apt i remember reading about that like they were getting their instructions by looking like britney spears twitter comments and like so they would just like go through that and then that would somehow that would go back and getting their

their control but um there's so many i've seen a lot of like traversal issues with sharepoint and i'm like almost worried about exposing confidential data more so than like people hiding payloads on in in sharepoint but it's totally plausible and that's exactly what i'm talking about you know you find a folder full of like memes you're like oh okay this person just likes to share memes but then when you do some really deep analysis you know you open a hex editor or some of these tools like that you say okay actually they're hiding something in here you know like there's all kinds of statistical tests you can do on the image colors and things to say

this is pretty likely that it's been manipulated and so you can look and say okay this is this doesn't occur naturally this color spectrum here like you can put them in histograms and kind of see that and you're like okay i'm suspecting that they're hiding data and i i want to kind of look and see what kind of algorithm it might be and i could reverse it you can't always reverse it but a lot of times you can't extract the payloads out especially if they use a very simple um uh simple embedding link like uh like least significant bent that's very easy to rip something out but if they do like a random one then

it's a little harder to rip out but then it's easier to tell because then you start getting weird colors all over the image and things like that so hopefully that answer your question uh we have a question from discord can you embed payloads by modifying colors in all types of images or does this technique only work for certain file formats that is a great question i i feel bad that i didn't touch on that you can technically do this in all file formats however uh some file formats limit themselves better to payloads than others so jpegs are very compressed and so that would be usually a poor choice for hiding it unless the thing that you're hiding is

very small now you look at like png files those are very easy to hide things in and very common uh personally my favorite are like tiff files like those really big uh professional photography high resolution uh photo files because they're huge you can hide anything in there and then uh you know i didn't i only talked about image steganography but you can actually um there's like mp4 steganography right so it's not uncommon for like a uh it's not uncommon for a uh a blu-ray rip of like the dark knight to be like 10 gigabytes in size and you know so there are techniques you can use to then hide a like a true crypt or a veracrypt uh

file container inside of that and so you've got this file on your computer that like when you click it and it plays it's uh it's the dark knight but then when i drag it over to veracrypt and type in a long password it actually opens up an encrypted file container and it's got all my malicious stuff in it i mean there's all kinds of things you can do and it's very difficult to detect and of course you've got that randomness protection the um that you have with the veracrypt and truecrypt yeah thanks good question and final question because this is really all we've got time for uh is there a one-stop shop scanner tool for stag

honestly probably not so i used to work on some steganography tools uh back in the day uh and and so there's some i have a pretty good idea of like most of them out there detect just images now one that i used to work for a company called whetstone technologies they have a tool called stego hunt that is probably last time i did an evaluation it was above and beyond like the other kind of steganography tools it was it would grab images videos audio files and it was really good at it so i i would suggest that but there are some free ones out there that you can get that usually just do like images and

wave files yeah thanks ah i'd like to thank you for joining us in your presentation and i'd like to thank everyone for their questions unfortunately we have to run out of it very quickly due to the late start and the issues that we had but uh yes uh thank you doctor would you like dr benjamin or jacob or what would you like me to call you oh jacob's fine but uh thank you very much this is this has been dr jacob benjamin with steganography [ __ ] nailed it yay