Slacking Off – Slack and the Corporate Attack Surface Landscape

Raveed Laeb, Product Manager

  • Some media reports stated that last week’s Twitter hack was facilitated by an attacker who fished sensitive credentials from within the company’s internal Slack – essentially leveraging the instant messaging app as a vector for initial access.
  • Credentials to over 12,000 Slack workspaces are available for sale on underground cybercrime markets, representing an explicit threat for thousands of organizations. However, examination of both open-source reporting and cybercrime communities don’t reveal a current, well-established attacker interest in the platform.
  • KELA assumes cybercrime actors might be having a hard time monetizing Slack compromises since the cloud-based app grants no direct access to a target’s network, and pivoting from it to other internal applications requires a combination of tedious reconnaissance and sheer luck.
  • The growth of “big game hunting” tactics in ransomware and the monetization of targeted intrusions lead us to believe that interest in Slack – and other cloud-based apps expanding the corporate attack surface – will probably grow in the future.
  • As such, KELA strongly recommends implementing an automated, scalable monitoring solution that offers insights into cybercrime activities targeting cloud-based apps storing sensitive data.