It’s back to the future.
Companies and their employees are slowly returning to in-person work, with many organizations maintaining their hybrid workforce model. And this shift to remote work has resulted in an increasing reliance on web-based collaborative tools. In fact, a Gartner study found that usage of collaboration tools has nearly doubled over the last two years, going from 55% to 80% among workers.
Many of these tools, such as Microsoft Teams, Slack, and Zoom, have been integral components of organizational productivity for years, but the change to a highly remote workforce has more deeply embedded these types of applications into business operating procedures.
Realizing this opportunity, hackers and cybercriminals have altered some of their own tactics to take advantage of this new cybersecurity reality.
Collaborative tools are a more viable attack vector than they have ever been, due to their relatively new introduction to many corporate environments and a general lack of sufficient logging from these applications. So the key question to answer:
How are these collaboration platforms being abused by malicious actors—and what can companies do to better protect themselves?
As a result of the quarantine, video conferencing has become the standard for team meetings. In most cases, scheduled meeting invites are shared internally among team members via email or some other chat app. The details included in the invitations (meeting link, passcode, dial-in numbers) are unique and required for entry into most meetings. On occasion, this access information can be shared publicly, either on-purpose or inadvertently. With this data, anyone can gain access to a video session.
Another method that has been seen for gaining unauthorized access to video conferences is “meeting ID guessing,” an issue that typically affects non-password protected meetings using default settings. Although Zoom claimed its engineers have solved this issue by enabling password protection as default and stopping repeated attempts to scan for meeting IDs, there have been subsequent successful ID guessing POCs.
Whichever clandestine method someone uses to gain unwanted access to a videoconference meeting, the security implications can be severe. Both of these methods have been leveraged in an attack dubbed "Zoom Bombing," in which uninvited individuals gain access to meetings (public and private) for the purpose of trolling. Even though this may seem like harmless snooping, this can lead to disclosure of personal information, proprietary data, or confidential discussions during seemingly "private" video conferencing sessions.
The rapid deployment of tools to enable remote work has led to new attack surfaces in many organizations. Like with any remotely accessible platform, account compromise is a huge security concern. Collaboration tools are particularly vulnerable to credential stuffing, automated input of stolen credentials into web-forms meant to impersonate authorized access.
During their own research, threat intelligence company KELA found 17,000+ Slack credentials available for sale on the dark web. Due to workspace endpoints using standard naming conventions ('yourorg.zoom.us' for example), it is relatively easy for malicious actors to guess a company’s workspace and, using purchased credential lists, attempt to force authentication. Once inside an organization's workspace, an attacker can conduct suspicious activity and more easily blend into the day-to-day traffic commonly seen within the tool.
Another way in which collaboration tools are being abused is to conduct phishing attacks against internal users. While many people have been trained to identify the features of malspam and phishing emails, they may not use the same scrutiny when inside of corporate chat applications. Because these tools tend to be installed and maintained by enterprise IT teams, employees may be more trusting of the security within the tool. As a result, individuals may be more willing to share personal information or confidential documents to other "trusted" coworkers within the application.
One of the most well-known examples of phishing via collaboration tools was the Electronic Arts data breach. After gaining entry to an EA Slack channel using purchased authentication cookies, a hacker was able to impersonate an EA employee and convince an IT support specialist to give them an MFA token granting them access to the company’s internal network.
Many of the collaboration tools used within internal environments are made even more powerful by third-party platform extensions. Whether it be tracking the status of work with an issues management widget or setting up meetings with an added calendar app, these third-party integrations allow for employees to bring additional and powerful functionality to the collaboration tools they use. A malicious actor with access to your internal network may also find these third-party integrations useful. Any collaboration tool allowing cloud-based file hosting application extensions could be used to exfiltrate data to remote endpoints. The same integration, in conjunction with a little social engineering, could be used to deliver malicious files and other content to users in a workspace or channel.
Beat the Black Hats
Because of this increasing importance of collaborative applications to enterprise environments, we expect to see malicious actors expanding their efforts to leverage these productivity tools. While up to this point human interaction has been required for using collaboration tools as an actor vector, in the future we may see new exploits that would allow adversaries to pivot directly from one of these tools into corporate environments—no human required. But there is a proactive game plan:
5 ways to better protect your collaboration environments against malicious tactics:
Want to learn more about how NetWitness helps enterprises guard against collaboration platform threats? Visit netwitness.com for more info or to set up a demo.
References:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.