Researchers on Wednesday reported that as the pandemic continued this past year, threat actors adjusted to employee reliance on new communications technologies such as Slack and Discord and launched targeted malware attacks on those platforms.
In a blog posted by Cisco Talos, the researchers said Slack and Discord offer an attractive option for hosting malicious content, exfiltrating sensitive information and facilitating malicious attacks. The researchers described how these communication platforms are used across three major phases of malware attacks: delivery, component retrieval, and command and control (C2) and data exfiltration.
“As defenders, we need to decide which chat applications are allowed and why, while clearly communicating to management the risks associated with each,” the researchers wrote. “For those companies that don’t use a chat app internally or for business purposes, it’s probably worth considering blocking some of the domains that can be abused for content delivery or putting other mitigations in place to help reduce the risk. We’ve continually seen adversaries evolve from including attachments directly in email, to hosting it on their own infrastructure, to using file sharing services, and now abusing chat applications.”
Using common collaborative applications as a means for command-and-control and exfiltration benefits the attackers in that they can better evade network detection and other security controls, said John Hammond, senior security researcher at Huntress.
“If an organization uses Slack, Discord, Teams or what have you to get their job done, you can bet that communications will be allowed,” Hammond said. “To defend against this, a company needs strong endpoint monitoring and the telemetry to correlate the communicating process on a specific machine. Applications whitelisting, endpoint detection and response and certainly process logging and network filtering are vital to prevent the abuse of collaboration tools.”
The tools companies use to conduct normal business have always been ripe targets for attackers as any nefarious activity within such communication channels tends to blend in to normal traffic patterns, added Oliver Tavakoli, chief technology officer at Vectra. Tavakoli said the collaboration tools that have become more central to how organizations operate during the pandemic are poorly understood by infosec teams as far as the attack surface they present – and these tools are also relatively immature in terms of accompanying security protections provided by third parties.
“This trend will continue until suppliers of such collaboration tools put more effort into providing more policy controls to lock down the environment and add more telemetry to monitor it,” Tavakoli said. “It will also require security vendors to step up and use the telemetry to detect and block attacks within these communication channels.”
Chris Hazelton, director of security solutions at Lookout, said that most organizations have too many communication tools: Email, collaboration and messaging platforms like Slack and Teams; web conferencing chats like Zoom; and text messages on phones and tablets. He said it's hard to mandate which communication tools are used across a company, and often company leaders use the communication tools that get the fastest responses. This means users are overwhelmed as they communicate with different or sometimes the same people across multiple platforms. It leads to lower awareness of risks in sharing across communication tools.
“There’s a continued urgency for organizations to go digital to avoid disruptions to business,” Hazelton said. “However, ignoring digital protections that secure collaboration platforms could create additional business disruptions and significant brand damage. Not enabling security controls for collaboration platforms is the digital equivalent of offering criminals and other adversaries a seat at the executive table.”