Thanks to the growing availability of vaccines and the efficiency of the immunization roll out in multiple countries, the world is starting to see a light at the end of the COVID-19 tunnel. However, cyber-criminals continue to capitalize on the pandemic, constantly modifying their tactics to adapt to the new distributed workplace.
At the beginning of the COVID-19 crisis, it was clear that the rapid adoption of cloud and collaboration platforms gave new opportunities to malicious actors. Cyber-criminals immediately started to exploit cloud storage to distribute malware and phishing pages, and collaboration platforms for themed phishing campaigns.
One year on and this trend continues unabated, fuelled by the growing adoption of cloud services and the increasing use of personal applications on corporate-managed devices. The findings in the Netskope February 2021 Cloud and Threat Report clearly back up this trend:
- A 20% increase of cloud applications led by collaboration and consumer apps
- A constant growth of the cloud-delivered malware that now represents 61% of all malware (and the 27% of the malware downloads are composed of malicious Office documents)
- A less pronounced, but equally constant, growth of cloud phishing, with 13% of phishing campaigns hosted in the cloud and 33% targeting cloud app credentials
Confirming how thin the line is between personal and professional lives, according to the Netskope data, every month 83% of users access personal apps from managed devices. Personal app instances pose a double risk for organizations: not only can they be used to upload sensitive data with the risk of exposure and the consequent loss of control for organizations (an issue that recently affected the UK Ministry of Defence), but they can also be exploited by cyber-criminals for malicious purposes, leveraging a legitimate infrastructure that is not necessarily inspected by a corporate security gateway if the user is working from home. Many organizations even implement split-tunnelling for non-corporate traffic to avoid excessive pressure on the on-prem infrastructures, or inspection of the traffic to cloud applications that are considered implicitly trusted.
Exploiting Collaboration Apps as Malicious Infrastructure
At the beginning of the pandemic, because of the sudden shift to remote work, collaboration tools were immediately exploited by cyber-criminals with themed campaigns that impersonated the most common platforms such as Zoom or Microsoft Teams as bait for phishing and malware delivery. Today, threat actors have adapted their tactics, instead focusing on collaboration services that allow a personal use, and exploiting them as an infrastructure for attacks.
Recent research by Cisco Talos provides additional insight, outlining the shift by cyber-criminals towards platforms such as Discord and Slack, that have become increasingly popular during the pandemic. These services are regularly exploited to deliver malware, to retrieve additional components used in the attack chain, or even as a channel for command and control and data exfiltration. Cyber-criminals leverage the fact that users are extremely familiar with these platforms and regularly use them to communicate and exchange attachments - also a common characteristic for cloud apps. This traffic bypasses security controls if generated from a personal device outside of the corporate perimeter - an obsolete concept these days.
The exploitation of Slack is not new (you probably remember SLUB), however what was previously an exception has now become a consolidated norm. And if the exploitation of Slack might seem a novelty, the same can’t be said for Discord, a platform popular among gamers, which has seen multiple campaigns abusing its infrastructure over past months.
Collaboration apps are playing a crucial role in the distributed workspace that has emerged during the pandemic (which is also likely to be the new normal), but at the same time they continue to offer new opportunities to cyber-criminals who are constantly adapting their tactics. At the beginning of the pandemic, these tools were exploited predominantly for themed phishing campaigns, leveraging the fact that users were forced to adopt them without being completely familiar with them. Today, the same apps are now considered by attackers as a consolidated and reliable mechanism to deliver malware and exfiltrate data simply because users have become so comfortable with them, they have blurred line that separates personal and business use.
What Can Organizations Do to Mitigate the Risk of the Malicious Exploitation Collaboration Apps?
Organizations must educate users about the correct utilization of corporate devices for personal purposes, but also to not use personal collaboration apps (and in general personal apps) for business purposes. They must also embrace a new model that secures the employees’ traffic regardless of their location and the nature of the traffic itself (whether it’s business-related or personal). Split-tunnelling is not an option given the increasing use of business devices for personal usage and the consequent risk of turning the device into a gate for the attackers once a personal service is exploited. Similarly backhauling all the traffic to a central security gateway isn’t a viable option in a world where the 53% of the internet traffic is now composed of cloud applications.