Hackers Leverage Chat for Command&Control: How You Can Protect Your Business

Trend Micro discovered that hackers could leverage chat platform APIs to create C&C infrastructures.

Chat platforms have become a cornerstone for businesses and their customers alike. These important tools make it possible for employees to communicate and collaborate from nearly any location, and enable consumers to reach out to companies in accordance with their preferences.

This fondness for chat communication is supported by statistics gathered by Inc., revealing 42 percent of customers prefer live chat over other communication methods, and 92 percent feel satisfied after using a business's live chat feature. What's more, employees are increasingly depending on chat capabilities – according to VentureBeat, popular chat platform Slack surpassed 3 million active daily users last year, demonstrating the important role chat currently plays for business workers.

However, as chat technologies continue to attract enterprise and consumer use alike, they also garner the attention of malicious actors.

Trend Micro research shows potential for abuse

"Trend Micro researchers turned their attention to popular chat clienteles to find out how these could be leveraged by hackers."

Recently, Trend Micro researchers turned their attention to popular chat solutions to find out how these could be leveraged by hackers.

"[C]hat platforms allow their users to integrate their apps onto the platforms themselves through the use of their APIs," Trend Micro researchers explained. "But one thing must be asked, especially with regard to that kind of feature: Can it be abused by cybercriminals? After all, we have seen many instances where legitimate services and applications are used to facilitate malicious cybercriminal efforts in one way or another."

Chat solutions like Slack and Discord enable integrations to allow for increased access to other third-party apps without the need for users to leave the chat platform. In this way, users can view a calendar notification or track reports while still maintaining communication connections. As researchers found out, though, this helpful capability can also open an organization up for potential infiltration and security compromise.

Successful attempt: Turning chat into C&C

Trend Micro used monitoring, background knowledge and proof-of-concept code to test the possible vulnerabilities of popular chat platforms like Discord, Slack and Telegram. Through their efforts, researchers were successfully able to show the process hackers could use to turn a top-used chat platform into a malicious command&control (C&C) server. The creation of this kind of cybercriminal system would allow hackers to connect with compromised systems within an enterprise's infrastructure, offering opportunities for harmful activity.

Hackers are already at work

Researchers didn't just discover that this malicious capability was hypothetically possible, however. Trend Micro observed that hackers are already exploiting this key vulnerability.

"Our extensive monitoring of the chat platforms has also revealed that cybercriminals are already abusing these chat platforms for malicious purposes," Trend Micro researchers noted.

Just a few of the cybercriminal activities going on within chat platforms include:

  • Discord: Hackers are utilizing this platform to host malware with a range of dangerous capabilities, including samples capable of mining Bitcoin from infected systems, as well as those that can inject subsequent malicious files.
  • Telegram: Researchers discovered this platform is being used to spread ransomware including TeleCrypt.

The problem with chat security

What is so worrisome about these discoveries isn't just the fact that malicious activity is taking place. The true Achilles' heel here is the fact that, at this time, it simply isn't possible to secure these platforms without impacting their functionality. In other words, security efforts would  inhibit users' ability to use chat platforms for their intended purpose.

"Blocking the APIs of these chat platforms means rendering them useless, while monitoring network traffic for suspicious Discord/Slack/Telegram connections is practically futile as there is no discernible difference between those initiated by malware and those initiated by the user," Trend Micro researchers explained.

Balancing risk with safe use

This situation creates a dilemma for today's businesses, as decision-makers must decide if the use of these platforms is worth the potential security risk. According to Trend Micro, the answer depends on the organization's current security posture.

"If the network/endpoint security of a business using a chat platform is up to date, and the employees within that business keep to safe usage practices, then perhaps the potential risk may be worth the convenience and efficiency," Trend Micro researchers stated.

Other security best practices to employ here include:

  • Educate users on safe use practices: Users should know not to click on suspicious links or files, even if they are sent by a familiar contact. In addition, the chat platform should only be used for work purposes, and all communications and credentials should be kept confidential.
  • Support education with usage guidelines: In order to ensure safe usage habits, companies should create guidelines that underscore the information employees learn during the above-described education process.
  • Consider discontinuing use: It's also important to consider whether or not a chat platform is really critical, and worth the potential security risk. Some smaller businesses, or those with other communication methods at their disposal, may decide that chat isn't mission-critical for daily use, and may discontinue using it as opposed to dealing with the potential vulnerability.

Chat platforms can pose a risk to security, but when balanced with safe use practices, this risk can be addressed. To find out more about how hackers are utilizing chat platforms for C&C capabilities and how this could impact your business, check out Trend Micro's research paper, "How Cybercriminals Can Abuse Chat Program APIs as Command-and-Control Infrastructures."

Leave a Reply