Hackers Used Slack To Avoid Network and Endpoint Detection
Notoriety is what hackers thrive on, no matter if it fetches them money or their dirty deeds flash on the news headlines.
Network hacks are on the rise and increasing in severity and frequently each year. In 2017 a joint study from Accenture and Ponemon Institute concluded that an average company experiences 130 security breaches, which is more than 24 percent increase compared to the early year.
Cybercriminals have a variety objective in hand when they orchestrate attacks. The need to lay their hands on valuable information so that they can sell it in the black market, or they might want to harm a company’s reputation that takes months to repair.
Hackers thrive on notoriety too, whether it causes more recognition from fellow criminals or their dirty deeds fill newspaper headlines.
This news on the CSO reads about Hackers use Slack to hide malware communications, is not a surprise.
Again a group of hackers is used an undocumented backdoor program which was developed to interact with attackers over Slack. This is the first time researchers have seen a popular enterprise collaboration tool Slack, being used in this way. Nevertheless, the use of services for malware command-and-control purposes is not a new development, because it helped them to evade network-level and even endpoint-level detection of potentially suspicious traffic
Trend Micro the security firm detected the backdoor, which was a targeted attack launched from the compromised website of an organization called the Korean American National Coordinating Council that posts articles related to North and South Korean politics. The article reveals about “watering hole” attack. It is a kind of technique to infect websites that are of interest to a particular group of individuals.
Now what we are looking at is how the hackers manage to divert their victims to this website, was it through email phishing campaign, or they just waited with the bait for the visitors to hook up. The article clearly reads that the site was modified to host an exploit for a remote code execution vulnerability in the Windows VBScript engine.
What we learn from the online article is that the infected system OS system was not updated, because the vulnerability tracked as CVE-2018-8174 and the vulnerability was patched by Microsoft in May 2018. It means an up-to-date operating system would have prevented the attack.
The Trend Micro researchers said in their report “Our investigation makes us believe with strong confidence that it was part of a possible targeted attack campaign. So far, we have not been able to find related attacks and have not spotted the custom backdoor elsewhere.”
“We have been searching for similar samples and have found none so far, which is a strong indication that the attackers either developed the malware or got it from a private developer who has not publicly leaked it.”
Slack has disabled the workspace set up by the attackers. The article rightly concluded that this will probably not be the last attack where hackers decide to abuse Slack’s service.
Julia Sowells948 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.