Fraudsters Flooding Collaboration Tools With MalwareCisco Talos: Reliance on These Tools Expands Attack Surface
The increasing reliance on collaboration tools such as Slack and Discord to support those working remotely during the COVID-19 pandemic has opened up new ways for fraudsters and cybercriminals to bypass security tools and deliver malware, Cisco Talos reports.
Cybercriminals are using these collaboration tools not only to deliver malware but also to retrieve information about specific components and networks and to establish command-and-control channels that can be used to exfiltrate data, Cisco Talos says in its new report.
These channels can be used to deliver malware, including Thanatos, that can set the stage for a ransomware attack. But in most cases, cybercriminals are deploying remote access Trojans, including AgentTesla, Formbook and Lokibot, according to the research report (see: AgentTesla Malware Has Updated Data Harvesting Capabilities).
Fraudsters are targeting these collaboration platforms as a delivery mechanism for malware so they can bypass perimeter security protections because the platforms are considered trusted parts of the network that employees use for essential communication.
"Potential targets who see a link in a chat room they're used to interacting in on a regular basis may be more likely to open any files that are attached to those rooms or click on links that seem like they're from colleagues," the researchers note. "These rooms may also provide a direct communications pathway between adversaries and employees that can be abused to facilitate the delivery process."
Earlier, other researchers identified various security vulnerabilities with these collaboration platforms.
A flaw in Cisco's Webex video conferencing platform disclosed in November 2020, for example, could have allowed uninvited users to attend meetings without showing up in the participation list, according to IBM researchers. Cisco has since issued a patch for that bug.
One risk that the Cisco Talos researchers identified is that workers transfer files to one another by placing them in collaboration tools. In many cases, the files are stored within the content delivery network, or CDN, that the platform provider operates. This, in turn, allows collaborators to access these files as they appeared when they were originally attached.
In the case of Discord, files uploaded and stored within the Discord CDN can then be accessed by any system simply by browsing for the URL link, the report notes.
"Adversaries have begun taking advantage of this functionality, using it to host their malicious content and then directing victims to the content using the CDN location within various formats, like malspam emails," according to Cisco Talos. "Over the course of 2020, we observed an increase in the volume of malicious email campaigns containing links to files hosted across these CDNs."
The report notes that because the content is sent over the HTTPS protocol, messages are encrypted, which can allow them to bypass security controls. Also, the messages are sent in a variety of compression formats, which further helps obfuscate the content - and disguise the malware.
"Many of the [messages] purport to be associated with various financial transactions and contain links to files claiming to be invoices, purchase orders and other documents of interest to potential victims," according to the report. The malicious messages viewed by the researchers were written in English, Spanish, French, German and Portuguese.
The researchers also found attackers abusing CDNs for the retrieval of additional malicious content both during and after a device was compromised.
The researchers also found that fraudsters are abusing legitimate APIs used in these collaboration platforms as a way to establish a command-and-control infrastructure that can be used to steal data or communicate with malware that has already compromised a device.
For example, Discord offers an API called webhooks, which works as a URL that allows a client to send messages to users by posting the message to a specified channel - without using the actual Discord application, according to the report. This API can also be integrated with third-party services such as GitHub or Datadog.
"Using the webhook functionality to exfiltrate data has several benefits, the most apparent being ease of use," the report notes. "The other important advantage to webhooks is the use of the Discord domain for exfiltration over HTTPS, allowing the attacker to blend in with other Discord network traffic. The format of a webhook would appear fairly innocuous to most users."
Implement Security Features
Rick Holland, CISO and vice president of strategy at security firm Digital Shadows, says that organizations that allow workers to use tools such as Slack, Discord or Microsoft Teams need to deploy their security and privacy features.
"You can deploy cloud access security brokers [CASBs] to secure data and protect employees in Slack and Teams," Holland says. "You should make sure that you purchase the more robust enterprise licenses that include security and compliance features like single-sign-on, multifactor authentication and data residency. You should also assess and restrict risky third-party applications that integrate with the platforms; these integrations increase your attack surface."