Sergey Nivens -

Cisco: Threat actors abusing Slack, Discord to hide malware

The threat intelligence vendor released a new report on how threat actors are increasingly abusing popular collaboration applications like Slack and Discord during the pandemic.

Threat actors have taken advantage of the COVID-19 pandemic once again, this time by abusing collaboration apps.

A new report from Cisco Talos focused on a significant increase in attacks that have utilized collaboration platforms such as Discord and Slack since the onset of the pandemic. While these attacks are not new, the report highlighted a major shift to remote work, which "coincided with increased reliance" on these platforms to conduct business.

As the pandemic continued, Cisco said it observed several threat actors changing their tactics, techniques and procedures to adapt to the new enterprise workflow. Threat actors are now uploading malicious code, including remote access Trojans (RATs), information stealers and internet of things (IoT) malware, to these platforms for delivery, component retrieval and command-and-control capabilities.

The report said collaboration platforms can enable adversaries to conduct campaigns using "legitimate infrastructure that may not be blocked in many network environments." In addition, Cisco Talos said these campaigns don't require victims to use or have these collaboration apps installed -- threat actors can simply email the links to malicious files hosted on Slack and Discord.

Nick Biasini, a Cisco Talos threat researcher who worked on the report, told SearchSecurity that an overwhelming majority of activity they observed happened in the last six to eight months.

"There may have been very low-level, occasional examples of this type of abuse that was pre-pandemic, but we didn't see significant campaigns like we're seeing today. You may have the one-off occasional actor trying out new things, but not like this widespread adoption we're seeing now."

Now, he said, it is rampant.

Abuse on the rise

According to the report, some of the apps, including Discord, support file attachments which make them a target for adversaries. If they are being used in a corporate environment, they become even more appealing. While malware delivery generally presents challenges for threat actors, such as ensuring the files, domains or systems don't get taken down or blocked, using communication platforms "that are likely allowed increases the likelihood that the attachment reaches the end user."

When users communicate on these platforms, whether professionally or personally, files are transmitted by attaching them in channels. Those files are stored within a content delivery network (CDN) the platform provider operates and can be accessed as they appeared when they were originally attached. According to the report, they can be accessed regardless of whether the app has been installed.

"This functionality is not specific to Discord. Other collaboration platforms like Slack have similar features. Files can be uploaded to Slack, and users can create external links that allow them to be accessed, regardless of whether the recipient even has Slack installed," the report said.

Cisco Talos found a sharp rise in malicious emails it blocked that contained links to files hosted across these CDNs; in March 2020, these files represented 3.7% of all email threats, but by June that percentage had more than tripled.

Not only was there an increase in malware delivery, but the report also found the Discord and Slack platforms were abused for the exfiltration of sensitive data. "In many cases, this activity is conducted via the Discord application programming interface (API) which provides a robust mechanism that adversaries can take advantage of," the report said.

In addition, Cisco Talos said threat actors can steal authentication tokens for Discord to hijack users' accounts and remain anonymous. According to the report, at the time of writing Discord does not implement client verification to prevent impersonation by way of a stolen access token.

Biasini said Discord and Slack are alluring to threat actors because they offer capabilities that can be difficult to shut down. And threat actors are always looking for the next opportunity to take advantage, just as they did with targeting schools and hospitals throughout the pandemic.

"They are always looking for ways to continue what they're doing without being caught or shut down," he said. "You can do things like steal other people's tokens so you can impersonate users, takes over accounts. It helps them have a layer of abstraction from them actually being the ones who created the accounts," he said.

SearchSecurity contacted Slack and Discord regarding Cisco Talos' research. A Discord spokesperson said the company relies on a mix of proactive scanning and reactive reports to detect malware and viruses, though it's not always enough. If they become aware of threat actors compromising the CDN, they remote the content and take appropriate action on any participants.

"We are working to enhance our processes to make it easier to report these types of issues, improve the way these issues are internally routed for faster triaging, and dedicate more resources to proactively identifying this type of abuse," a Discord spokesperson said. "We understand that antivirus scanning is often imperfect, and we are continuously iterating upon this method to improve our technology as bad actors are doing the same."

A Slack spokesperson said the company has measures in place to block malicious files from being shared through the service, with additional protections planned for release in the coming months.

"Keeping our customers and their data secure is our top priority at Slack. In February of this year, we blocked the ability for attackers to use Slack to publicly share .exe files containing malicious executable code," the spokesperson said. "Additionally, as we shared earlier this month, Slack automatically blocks certain files shared with external organizations in Slack Connect, both in channels and DMs. To further prevent phishing scams and spam, we're building industry-standard malware protection and link scanning, where malicious activity is automatically prevented. These tools will roll out this spring."

An additional challenge remains from a defender perspective. According to Biasini, one of the factors a security team would look at would be blocking the domain or IP address that is hosting the malicious file. "But you can't really do that with Discord because you would block Discord effectively."

Not all organizations allow the use of these platforms, which can affect the mitigating factors, Biasini said. "If you have an organization that does not allow Discord, then they may be able to take steps to do more active blocking than you would otherwise. That's where it comes into play -- how does the organization or enterprise defend against it?"

According to the report, if the chat application is not being used internally for business purposes, it may be worth considering blocking some of the domains that can be abused for content delivery or putting other mitigations in place. And while it may have been prompted by the pandemic, it appears this increase in activity is here to stay.

"This is likely the new normal going forward. You're going to see this type of abuse happen more," Biasini said.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing