Another example of the resiliency and creativity of cyber-attackers is outlined in a new blog by Cisco/Talos researchers, which outlines how, over the past year, and in particular as a result of the migration from work at the office to work from home during the pandemic, cyber-attackers are using collaboration platforms like Slack and Discord to distribute malware to unsuspecting victims.

According to the blog:

  • As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows.
  • Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses.
  • Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that might not be blocked in many network environments.
  • Remote Access Trojans (RATs), information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.

In sum, the collaboration rooms and platforms are being used to “spread traditional malspam lures used to infect victims.” They are using the platforms to “circumvent perimeter security controls and maximize infection capabilities.” They are being used during three phases of malware attacks, including delivery, component retrieval, and C2 and data exfiltration. They are also being used for social engineering campaigns.

If your organization is using collaboration platforms, it is important to let your IT professionals and employees know about the malicious use of these platforms so they can use good cyber- hygiene to avoid causing an incident in the same way as a phishing or social engineering scheme. The same tools that they use to identify malicious emails or texts should be used with these collaboration platforms. Providing education on these schemes and uses of legitimate business platforms is the first defense to preventing an incident.

The Department of Justice in October announced charges against six men believed to work for the Russian GRU and linked to some of the most sinister cyber attacks of the last decade including the NotPetya malware and attacks on the government of Ukraine. In this podcast we talk to two men who helped build the DOJ’s case: Cisco’s Matt Olney, the Director of Talos Threat Intelligence and Interdiction and Craig Williams, the Talos Director of Outreach about the case against the Russian actors and what companies can do to defend themselves.

The news this week was that FireEye, one of the U.S.’s most prominent cyber security firms, had itself become a victim of a cyber crime. The likely suspects: state-sponsored hackers working on behalf of the Government of Russia.

Now, according to reports, Russian hacking groups may have access to FireEye’s custom “red team” tools for testing client’s defenses or identifying malicious activity. That’s a possible bounty for Russian state-sponsored crews like so-called “Cozy Bear,” or APT 29, which are already among the most feared cyber adversaries in the world.

But just because Russian hacking groups act often act with impunity doesn’t mean they’re invisible – or even unknowable. In fact, it was just a few weeks ago – on October 15 – that the U.S. Justice Department named six officers of Russia’s GRU in connection with a string of high profile hacks and cyber attacks including the NotPetya malware and attacks on the government of Ukraine and on the 2018 PyeongChang Winter Olympic games.

The men were believed to be part of state-sponsored hacking groups with names like “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking,” according to a statement by the DOJ.

How did the U.S. Justice Department follow the tracks from those amorphous attacks to six, Russian men? Our guests this week were among those working behind the scenes to make sense of those attacks and help understand what happened and who was behind them.

Talos had a front row seat in a number of the incidents mentioned in the Department of Justice report, including the NotPetya outbreak , the attacks on Ukraine and the campaign against the 2018 olympics. Craig and Matt joined me in the Security Ledger studio to talk about the DOJ announcement and what goes into the project of identifying and charging foreign hacking groups. We also talk about what it takes to stop and even catch a Russian APT group, and what companies can do to protect themselves from the world’s most elite offensive hackers.