Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On November 18th, 2024, Palo Alto disclosed a critical actively exploited authentication bypass zero-day vulnerability impacting Palo Alto Networks PAN-OS. The…
Nov 13, 2024THE THREAT Update: eSentire has observed multiple exploitation attempts targeting CVE-2024-8069. In real-world attacks, threat actors successfully achieved RCE and attempted to…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
What do you get when you share a Wikipedia link on Slack? As eSentire Threat Response Unit (TRU) security researchers Keegan Keplinger and Joe Stewart discovered, threat actors can be presented with a clever way in which to redirect business professionals to attacker-controlled websites.
It works like this. A threat actor selects a subject in Wikipedia that they believe will interest the type of business professionals they are targeting. For example, if the cybercriminals are targeting publicly traded companies, they might select a Wikipedia entry detailing the latest Securities and Exchange Commission’s (SEC) cybersecurity regulations that are being implemented. Because these regulations are necessary for compliance, organizations may be likely to visit the Wikipedia page – a first step in executing the Wiki-Slack attack.
Once the threat actors select a topic in Wikipedia, they will go to the first page of the Wikipedia entry and edit the page, adding a legitimate referenced footnote to the article. The footnote itself is not malicious but it paves the way for a formatting error when the article is shared in Slack. Once certain additional conditions are met – made easy by small grammatical changes to the Wikipedia article, Slack will render a link that is not visible in the original Wikipedia article.
Once a business professional copies and pastes that Wikipedia entry in a Slack channel, the malicious link is rendered. If the grammar around the link is crafted well enough, Slack users are enticed to click it, leading them to an attacker-controlled website where browser-based malware lays in wait.
Browser-based attacks are a new underestimated threat surface that, today, can lead to hands-on ransomware intrusions. Popular examples this year include BatLoader, SocGholish, Nitrogen, and Gootloader. While much of security training today focuses on email-based phishing and malicious attachments, this new paradigm in initial access has begun to dominate initial access vectors for ransomware intrusions.
Stewart and Keplinger also found that this social engineering attack works with Medium blogs. However, it should be noted that Wikipedia provides a curated, authoritative source that people trust, whereas Medium blogs are less known and author-controlled. Stewart and Keplinger, following responsible disclosure practices, reported this activity to Slack.
A complete attack chain for the Wiki-Slack attack can follow either targeted or opportunistic campaign properties. A targeted attack involves targeting organizations known to have Slack – an easy Open-Source Intelligence exercise – and constructing Wikipedia entries for them to get their attention, while an opportunistic attack looks to weaponize the most popular Wikipedia pages, approaching a watering-hole style attack.
The Wiki-Slack Attack is an authoritative user redirection attack to drive victims to an attacker-controlled website. From there, the attacker must provide their own malware for users to download and execute. Browser-based attacks, of course, shouldn’t be underestimated, given they are one of the primary types of initial access malware observed leading to Ransomware today, including BatLoader, Nitrogen, Gootloader, SolarMarker, and SocGholish.
The attack starts when a Wikipedia link is shared in Slack under three conditions:
This will cause Slack to mishandle the whitespace between the first and second paragraph, spontaneously generating a new link in Slack (Figure 1). If we look directly at the Wikipedia page, we can see this generated link doesn’t exist there (Figure 2). We have found over 1,000 organic occurrences of this artifact (Figure 3).
If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it. Because of the diminishing returns along the chain of this attack, it becomes a numbers game. One way to conceptualize this is an analog of the “marketing funnel” in which companies drive Internet traffic to eventually become sales conversions. We leverage this concept to adopt the “attack funnel” (Figure 4).
Thus, the more Wikipedia pages an attacker can deface and register domains for, the higher the chances of eventually infecting someone of interest. Further, we can leverage Wikipedia Statistics to choose Wikipedia pages that already generate high volumes of traffic (Figure 5). In it, we see a popular option, ChatGPT, is already organically halfway to a Wiki-Slack attack. One would just need to edit Wikipedia under the guise of “more concise wording” to get a TLD out front in the second sentence (Figure 6).
In a targeted attack flow, we want to first do a little background research on our target. For one, we want to ensure they have Slack. Organizations tend to advertise their tech stack in job postings (Figure 7). We can also take an automated approach leveraging something like python’s requests to iterate through a list of companies and automatically select the ones with Slack, given the response code in the request (Figure 8).
Finally – and because the Wiki-Slack attack is a numbers game – we want to leverage ChatGPT or similar Large Language Model (LLM) to scale out the attack and cover a large attack surface in a short time. ChatGPT is well aware of how to create both web pages and Wikipedia pages. So all we need to do is simply request it do so for a particular subject which we are interested in (Figure 9). We can augment this by scraping data about subjects or targets from articles written after 2021 (Figure 10), since ChatGPT won’t have any information post 2021.
As the security community has evolved phishing awareness training and organizations have implemented email security appliances that block most malicious spam, social engineering attacks via browser-based downloads are becoming the primary infection vector. To keep your organization protected:
If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.