Another example of the resiliency and creativity of cyber-attackers is outlined in a new blog by Cisco/Talos researchers, which outlines how, over the past year, and in particular as a result of the migration from work at the office to work from home during the pandemic, cyber-attackers are using collaboration platforms like Slack and Discord to distribute malware to unsuspecting victims.
According to the blog:
- As telework has become the norm throughout the COVID-19 pandemic, attackers are modifying their tactics to take advantage of the changes to employee workflows.
- Attackers are leveraging collaboration platforms, such as Discord and Slack, to stay under the radar and evade organizational defenses.
- Collaboration platforms enable adversaries to conduct campaigns using legitimate infrastructure that might not be blocked in many network environments.
- Remote Access Trojans (RATs), information stealers, internet-of-things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.
In sum, the collaboration rooms and platforms are being used to “spread traditional malspam lures used to infect victims.” They are using the platforms to “circumvent perimeter security controls and maximize infection capabilities.” They are being used during three phases of malware attacks, including delivery, component retrieval, and C2 and data exfiltration. They are also being used for social engineering campaigns.
If your organization is using collaboration platforms, it is important to let your IT professionals and employees know about the malicious use of these platforms so they can use good cyber- hygiene to avoid causing an incident in the same way as a phishing or social engineering scheme. The same tools that they use to identify malicious emails or texts should be used with these collaboration platforms. Providing education on these schemes and uses of legitimate business platforms is the first defense to preventing an incident.