A new CISCO Talos Intelligence report explores how cybercriminals are increasingly abusing the communications platforms that many organizations use to facilitate employee communications.
According to the report, communication platforms have allowed attackers to circumvent perimeter security controls and maximize infection capabilities. Over the past year, adversaries are increasingly relying on these platforms as part of the infection process. In the blog, the researchers describe how these platforms are being used across three major phases of malware attacks:
- Delivery
- Component retrieval
- C2 and data exfiltration
As telework has been become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows, such as Discord and Slack, to stay under the radar and evade organizational defenses. Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments. RATs, information stealers, internet of things malware and other threats are also leveraging collaboration platforms for delivery, component retrieval and command and control communications.
The platforms provide attractive options for hosting malicious content, exfiltrating sensitive information, and to facilitate malicious attacks. The researchers found that Discord, for example, has been used in the past to deliver the Thanatos ransomware. More recently, this mechanism has been used to deliver a variety of RATs, stealers and other malware including:
- Agent Tesla
- AsyncRAT
- Formbook
- JSProxRAT
- LimeRAT
- Lokibot
- Nanocore RAT
- Phoenix Keylogger
- Remcos
- WSHRAT
"Tools which organizations use to conduct normal business have always been targets for attackers as any nefarious activity within such communication channels tends to intermingle with normal traffic patterns. The collaboration tools which, during the pandemic, have become more central to how businesses operate are poorly understood by info security teams in terms of the attack surface they present. These tools are also relatively immature in terms of accompanying security protections provided by third parties," Oliver Tavakoli, CTO at Vectra, explains.
Tavakoli believes this trend will continue until suppliers of such collaboration tools put more effort into providing more policy controls to lock down the environment and add more telemetry to monitor it. "It will also require security vendors to step up and use the telemetry to detect and block attacks within these communication channels," he says.
Mark Kedgley, CTO at New Net Technologies (NNT), says, "Collaboration requires a certain level of trust. The need to differentiate between each business partnership, and what information can be shared, is often diminished as staff is not properly trained. That attackers have the patience to wait for the right opportunity isn’t specific to any collaboration platform. This behavior can be observed in many facets of cyber crime. To mitigate the risks, more focus on least privilege is needed as it’s still too common for users to run with local admin rights. Email and office applications provide a number of hardened settings to combat malware and phishing, however, not enough organizations make use of them. Change control and vulnerability management as core security controls should be in place as well."
For more information, please visit https://blog.talosintelligence.com/2021/04/collab-app-abuse.html