These sleep times can help our C2 fly under the radar, but will also impact the ability of the attack operator to execute rapidly depending on how aggressively the timeouts are configured. In our PoC, we also configure a random sleep between 1m and 5m to further obfuscate our activity. Future versions may add additional encryption on top of SSL. Detecting this type of activity requires sophisticated network analysis capabilities, such as the ability to intercept and decrypt SSL messages. Our proof of concept (PoC) blends in with normal business activities such as user-to-user or user-to-group communications. 2 days ago &0183 &32 Slack is the policy of deliberately leaving time that isnt allocated for stories, using that time for unplanned work. In this post, we use this same technique to demonstrate how Slack can be used as a malicious C2 channel. Detecting or blocking this content is difficult since it is encrypted and transmitted over SSL to a legitimate website. In 2013, I wrote a blog post about using Twitter for Command and Control (C2) built for the Northeast Cyber Collegiate Defense Competition (CCDC). As network-based detection and prevention has advanced it has become easier to mitigate IRC as a malicious command and control (C2) vector. The issue with IRC is that its primary port ran on 6667/TCP often without any type of encryption. Using Slack for internal team communication reduces internal email, bringing you closer to Zero Email. In the old days, it was common to see denial of service bots controlled and managed by Internet Relay Chat (IRC). Slack is centered around immediacy and collaboration, which allows for easy discussion between teams. MITRE ATT&CK™ includes a Web Services (T1102) technique that has been used by many different threat groups, including Carbanak and APT 37. It’s a popular method to ensure constant communications between different internal groups within the organization.Īttackers have started to take advantage of assumptions that administrators make about the security of these web services. Many organizations have also embraced cloud-based chat services like Slack, including our team at Praetorian. Bots provide a powerful method to execute and handle tasks quickly in different environments. Many organizations have shifted their operations to utilizing chat and bot software to improve the effectiveness of their DevOps teams.
0 Comments
Leave a Reply. |