How many software programs do you regularly use at work? If you’re like most people, it’s more than you can count on both hands. The enterprise software market is expected to reach $634 billion by 2023, answering the growing demand for tools that improve business operations and productivity. Yet these tools you entrust on the job are becoming a back door for cyber threat actors to gain access to your organization. Our intel analysts assembled the top three techniques and tactics that cyber threat actors are using to corrupt enterprise software applications.
No. 1: Malware using Slack for command and control (C2) communications – New backdoor malware dubbed “SLUB” has used the Slack collaboration platform to facilitate its C2 communications. SLUB is the first known malware to use Slack as a C2 channel, and it represents yet another technique for attempting to conceal malware communications as legitimate traffic from common enterprise software. What’s more, companies that provide software—particularly software that enables real-time communication—must be prepared to detect and mitigate unique and innovative techniques that are used to put their products to malicious use. Implementing threat defense operations to help identify new threat vectors such as SLUB can help your organization mitigate potential corruption of collaboration applications. In addition, deploying managed threat services across your enterprise networks provides amplified detection, investigation, and response capabilities, enhancing your ability to effectively mitigate emerging threats.
No. 2: Malicious transport agents infecting exchange servers – State-sponsored actors were found using malicious transport agents to modify, block, and forward email communications that traversed their targets’ Microsoft Exchange servers. Transport agents are often used for legitimate purposes such as spam filtering, yet this may be one of the first campaigns using transport agents maliciously. The same actors previously compromised individual Microsoft Outlook clients, but the use of transport agents on exchange servers provides a broader view of the emails traversing the network, ultimately providing near-total insight into a victim’s email communication. To defend against this technique, you can deploy managed threat services to gain deeper visibility into your network, swiftly remediate infections, and continually monitor your digital environment for new vulnerabilities.
No. 3: Malware communications emulate calendar requests – Cobalt Group targeted Kassa Nova Bank in Kazakhstan to steal funds and to use the bank’s infrastructure to gain access to other organizations. The group leveraged the Cobalt Strike Beacon payload, which used C2 communications to emulate the network traffic generated from views of Microsoft Office 365 Outlook calendars. The tactic appeared to be new to the group, although Check Point security research suggested that it may have leveraged publicly available “malleable C2 profiles.” If you think that your organization may be a potential target of Cobalt Group or similar actors, assess your ability to quickly identify and investigate anomalous Office 365 network traffic. You can do this by testing whether your tools and processes are effectively identifying or preventing malicious activity, and by practicing organizational response plans.
To lock down backdoor vulnerabilities in your trusted enterprise software applications, think like the attacker and understand what targets malicious actors may want to steal from your organization. Proactive efforts like threat hunting can uncover evidence of compromises while a threat monitoring capability provides deep visibility into attack chains so that you can take quick action. Remediation may require preventing infections from entering your networks by patching impacted systems and upgrading operating systems.
