We have seen a growing number of vulnerability disclosures, proof-of-concept exploits, and real-world incidents exploiting human communications beyond emails in channels such as Slack, Microsoft Teams, and Zoom. These cloud-based channels are not only a viable attack vector but an increasingly attractive one for criminals to exploit human communications, given the unique insider access they can provide. Our research has concluded that the kill chain targeting human communications can be mapped to the cyber kill chain used to breach enterprises.
As remote work has come to rely on new communication tools above and beyond email — tools that have become more integral to corporate workforces — attacks will continue to grow. Businesses must understand the full attack surface that targets communications in order to put in place the proper security strategy.
Recon, Weaponization, and Delivery of Exploits Using Communications
Adversaries use communication platforms to conduct reconnaissance and gather valuable intelligence that is then used to compromise victims through convincing social engineering attack campaigns that involve various techniques like phishing and pretexting. One common tactic to watch is the use of open redirect URLs (where the domain is for a legitimate site but the body of the URL includes a query to send victims to another site listed in the parameter of the link). In another recent campaign, criminals used fake Zoom meeting invites to steal credentials.
Malicious actors also have access to an abundance of stolen credentials in the Dark Web, which can be used in credential stuffing attacks on collaboration app accounts, where the likelihood of employee password reuse is high. Additionally, user cookies for Slack and compromised accounts are readily available for purchase in the Dark Web, in sites such as Genesis. These sites can sell any number of accounts in a botnet, where the cookies and device fingerprints remain intact and are otherwise undetectable as they operate in the enterprise infrastructure, allowing for targeted attacks on those enterprises and creating breaches. This is how a malicious actor gained access to Electronic Arts' Slack channel, which was the entry point for a significant data breach.
Configuration errors by both the platforms and users frequently put corporate data at risk. These misconfigurations include insecure default settings and permissions, such as Salesforce Communities, which has led to widespread accidental public exposure of data by users, or Slack's previously reported problem, which allowed anyone to create an API key and subsequently scrape contact information from public channels.
Organizations also routinely make mistakes when it comes to managing privacy settings and proper deployments, leaving them vulnerable to data leaks and attacks. In many cases, these third-party platforms make public sharing a default setting, or they have complicated or obscure security practices that must be adhered to in order to avoid a public exposure, which makes it relatively easy for companies to trip themselves up. The recent case of Microsoft Power Apps, in which more than 38 million sensitive records were exposed by major companies and state and local governments because of the service's abstruse security guidelines, is a clear example of these risks.
It may also be difficult for companies to automate restrictive security settings for their full workforce because services like Slack require the individual user to manually adjust key settings, such as establishing a waiting room to approve meeting attendees.
Install, C2, and Attacker Action Focusing on Human Communications
Once attackers have breached accounts, an adversary can target its employees, IT team, and executives through social engineering attacks to steal access information such as credentials, VPN tokens, and other information.
Since these platforms don't adequately scan for malicious content, attackers can upload malware directly to the cloud channel and then deliver it to other users as a legitimate-looking file attachment. They can also share malicious links that will lead employees to external sites that will harvest their credentials or infect them with malware.
Criminals are also using collaboration apps as a means for carrying out attacks outside of these platforms. By hosting malware on a collaboration platform such as Slack or Discord, an attacker can deliver malicious links to employees via phishing emails that are likely to bypass traditional malware detection tools while also catching the recipients off-guard. Similarly, attackers are also using cloud-based platforms like Google Drive to spoof legitimate shared documents and host malicious redirect links in targeted phishing attacks.
How to Manage These Risks
It's important for companies to recognize that new and old threats that exist in email are migrating to other communications platforms like Slack, Teams, and Zoom. Attackers have developed their own kill chain (similar to the cyber kill chain) and repeat a common step-by-step process to breach organizations via these cloud-based communications channels. Companies also have the opportunity to understand their risk level by inspecting their own communication traffic.
Attackers can gain access to these private communication channels through various means, so companies should prepare for business communication compromise, invoice fraud, and credential- and access-stealing attacks by extending their layered defense strategy to these new modes of communications.
Organizations should have and enforce strict policies — and conduct regular security awareness training — to reduce the risk of data theft, credential theft, and accidental data exposure inside these corporate communications channels. This should include forbidding and monitoring the sharing of sensitive information (such as account credentials), uploading files, or circulating links and inspecting files and links to evaluate if they are compromised. Companies should also restrict user behavior through the app's permission settings, and they should make sure that privacy settings are always enabled when these are available.