Hackers smuggle out stolen data disguised as videos

Around a dozen organisations, including at least one financial sector company, have been hit by a new form of hacking where attackers hide stolen corporate data inside video files that they upload to popular sharing sites like YouTube.

Hackers smuggle out stolen data disguised as videos
Hackers smuggle out stolen data disguised as videos

The trick has been discovered by cloud security firm Skyhigh Networks, which is alerting security pros to this hard-to-spot approach.

In a 23 October blog post, Skyhigh's Kaushik Narayan said: “We recently identified a new type of attack that packages data into videos hosted on popular video sharing sites, a technique difficult to distinguish from normal user activity.”

European marketing director Nigel Hawthorn said Skyhigh has seen the attack used against a range of companies. He told SCMagazineUK.com: “There's a dozen or so different customers where we've seen the same behaviour. At least one of the companies where we saw this was in the financial community and therefore a regulated industry.”

Narayan said the stolen data ranges from customer information such as credit card and social security numbers to intellectual property, including design diagrams and source code.

Skyhigh does not know who is behind the attacks or where they are located.

The hackers operate by using malware that accesses sensitive corporate data, then splits it into compressed files of identical size, encrypts it and wraps it up with a video file. “This technique is sophisticated,” Narayan explained. “The video files containing stolen data will play normally.”

He added: “They upload the videos containing stolen data to a consumer video sharing site. If anyone checked, the videos would play normally on the site as well.

“After the videos are on the site, the attacker downloads them and performs the reverse operation, unpacking the data and reassembling it to arrive at the original dataset containing whatever sensitive data they sought to steal.”

Hawthorn said the approach is ideal for smuggling out large quantities of data.

He told SC: “The thing that scares us all really is video files are so large that it's a perfect place to try to hide a lot of information. It's expected that video files will be many megabytes in size. Also somebody who appears to be uploading a video wouldn't necessarily be recognised by other systems as potentially being a threat to corporate data.

“It reminds us, as IT people in organisations, we've got to be looking for all sorts of different ways in which data could be going out.”

Skyhigh pointed out that consumer video sites are widely allowed by companies, for legitimate uses such as hosting employee training videos, product demos and marketing.

Commenting on the attack method, security expert Paco Hope, principal consultant at Cigital, agreed that it was new and dangerous.

He told SCMagazineUK.com: “This is not one that I have seen before. We have seen DNS, Twitter, IRC, Skype and plenty of other protocols. I think what is most novel about this is its efficiency. You can get a lot of data out because video is an otherwise normal large upload.”

Hope also agreed the technique is difficult to detect: “Content inspection of HTTPS traffic is common - but it would be very difficult to identify illegitimate frames of video. The exfiltration tool will probably leave some recognisable pattern in the video payload, and tools can theoretically be developed to look for that signature. But conceptually it is very hard to pinpoint with confidence.

“The only thing I can think of that makes this tricky is uploading video that YouTube or another site will not mangle when it converts. There are ways, though, to preserve the data even after the upload.”

Hope added: “I bet that as this comes out and is actually effective, then people will start looking at other payloads, other data types. You could imagine Skype video or FaceTime or any of these things where there's just a ton of frames going out. You've got plenty of space in there to hide some data and nobody will notice that it's actually corrupt.”

Hawthorn said Skyhigh first spotted the attack on a customer's PC which had uploaded a large number of videos that were all exactly the same size.

“That's incredibly unlikely,” he said, “so that was picked up as an anomaly. But there was no infection, virus or whatever to be found by other security systems.

“The way this was recognised was doing big data crunching. The way to find these sorts of issues is looking for traffic patterns that are frankly odd and therefore worth investigating.”

Narayan said: “Companies can proactively take steps to protect themselves by limiting uploads to video sharing sites while allowing the viewing or download of videos. Deploying a cloud-aware anomaly detection solution can also give early warning to an attack in progress.”