Ken Westin, senior security analyst for Tripwire has been noting the potential for this “Hammertoss” cyber espionage scenario for some time and was not surprised by the FireEye report that came out.
Ken Westin, senior security analyst for Tripwire :
“This particular method of attack is pretty clever, as it takes advantage of most enterprise organizations trust and whitelisting of well known social media platforms. By downloading binary images and embedding commands in the images they easily circumvent most detection mechanisms. The additional measure of encrypting the message within the image serves a double purpose to both hide the messages in the image in case it is intercepted, as well as to assist in bypassing any steganography detection tools an organization may have in place. Encrypted data in the image makes steganography detection harder because encrypted data generally has a high degree of randomness making it much less suspicious when embedded with image data.
This type of attack vector makes traditional threat intelligence moot. Where threat intelligence feeds will provide information about malicious IPs and hosts for command and control servers that malware has been found to use, this attack uses trusted services and domains that are for the most part whitelisted. It then also hides command and control activity by encrypting commands in images to further bypass network detection controls. This shows the importance of integrating network based threat intelligence with endpoint intelligence with the assumption that either can fail.”