Use #itsaexpo #itsa365

25 - 27 October 2022 // Nuremberg, Germany

it-sa Newsroom

Manipulate, conceal and infiltrate: the latest hacking techniques of cyber gangsters


© iStock/MicroStockHub

Cyber criminals are shamelessly exploiting the current crisis. They reach their targets by exercising patience and constantly applying new methods. To this end they are influencing search engine results or manipulating image data, and they don’t even hold back from attacking the dark net.

The latest survey of exhibitors at it-sa shows that there is strong demand for security solutions for the home office. And such solutions are urgently required because the attacks are becoming increasingly ingenious. As the New York Times reports, a Russian group is suspected of attacking the networks of employees who are working remotely from home due to the coronavirus pandemic. It is attempting to infect the networks of employees of major establishments. The malware used then waits until the employees concerned connect with their corporate network and then penetrates it. Subsequently, the malware tries to disable anti-virus and backup programmes to infect the networks with ransomware that it has previously downloaded from the Internet.

Underworld vs underworld

But there are dangers lurking outside the home office environment as well, and even the dark net has become a venue for cyber-attacks. Specialists from a large IT security company report on an offensive that targeted dark net buyers. Because access to the dark net is only possible via the Tor Browser, the cyber gangsters specifically manipulated this browser, planting a Trojan in it and declaring the result as an update. This version was functionally identical; only the plugin signature verification and the search for updates were disabled. This made it unlikely that the changes would be overwritten by a subsequent update. The attackers lured their victims on dark net sites offering downloads of counterfeited plugins containing malware. Effectively, the attackers were after their victims’ bitcoins, the currency of the dark net. They were only successful because they were able to induce a lot of dark net users to download their modified Tor Browser. This was done by influencing search engines through several different Pastebin accounts. As a result, the download page for the fake browser appeared near the top of the search engine results.

Using steganography to get around security programmes

Cyber criminals showed how unscrupulous they can be right at the start of the coronavirus crisis, when they attacked a lot of medical establishments. At the same time, they are becoming increasingly inventive, for example when they hide data in cookies to smuggle them out of the company undetected.

Cyber attackers are also very aware of the vulnerabilities of anti-virus programmes. Therefore they like to use steganography, because it enables information to be concealed in photos. For example, a bit from each pixel is used without attracting any notice when the image is viewed. A photo with 20 million pixels provides sufficient storage capacity for hiding malware, so it is rarely identified when smuggled into IT networks.

A notorious group is again attracting attention to itself with these methods. The group known as Dukes has been active for more than 10 years now and, according to security analyst Matthieu Faou, also goes under the names APT29 or Cozy Bear. In 2015 it is said to have hacked the network of the US democrats and attacked the Norwegian Ministry of Defence. The targets of the group’s offensives are often diplomats, political parties, and military organisations, says Faou. But in 2017 the group suddenly disappeared, until it attracted attention again last year with a new campaign. As is usual in more complex attacks, they carried out the attack in several phases. Starting with infected documents, in email attachments for example, they achieved access to the network. With the login data acquired, interesting targets were scouted by moving laterally through the victims’ network. Finally, hidden malware was installed in tweets or other social media posts. The reload function it contains contacts the control servers from which it downloads the photo that contains the virus as such. If photos are passed through a company network this usually goes unnoticed. When combined with multi-stage processes, the concealment is effective. Faou assumes that the group is currently preparing for the US election in the autumn.


You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.

To register for the newsletter