Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Flexible MDR packages that enhance your cyber resilience and security operations.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
THE THREAT eSentire is aware of widespread exploitation attempts targeting the recently disclosed ownCloud vulnerability CVE-2023-49103. CVE-2023-49103 (CVSS: 10) is tracked as a disclosure of… READ NOW
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Waterloo, ON and GITEX GLOBAL 2023, Dubai, UAE – October 18, 2023 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced that Inspira Enterprise Inc, (Inspira), a… READ NOW
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
What do you get when you share a Wikipedia link on Slack? As eSentire Threat Response Unit (TRU) security researchers Keegan Keplinger and Joe Stewart discovered, threat actors can be presented with a clever way in which to redirect business professionals to attacker-controlled websites.
It works like this. A threat actor selects a subject in Wikipedia that they believe will interest the type of business professionals they are targeting. For example, if the cybercriminals are targeting publicly traded companies, they might select a Wikipedia entry detailing the latest Securities and Exchange Commission’s (SEC) cybersecurity regulations that are being implemented. Because these regulations are necessary for compliance, organizations may be likely to visit the Wikipedia page – a first step in executing the Wiki-Slack attack.
Once the threat actors select a topic in Wikipedia, they will go to the first page of the Wikipedia entry and edit the page, adding a legitimate referenced footnote to the article. The footnote itself is not malicious but it paves the way for a formatting error when the article is shared in Slack. Once certain additional conditions are met – made easy by small grammatical changes to the Wikipedia article, Slack will render a link that is not visible in the original Wikipedia article.
Once a business professional copies and pastes that Wikipedia entry in a Slack channel, the malicious link is rendered. If the grammar around the link is crafted well enough, Slack users are enticed to click it, leading them to an attacker-controlled website where browser-based malware lays in wait.
Browser-based attacks are a new underestimated threat surface that, today, can lead to hands-on ransomware intrusions. Popular examples this year include BatLoader, SocGholish, Nitrogen, and Gootloader. While much of security training today focuses on email-based phishing and malicious attachments, this new paradigm in initial access has begun to dominate initial access vectors for ransomware intrusions.
Stewart and Keplinger also found that this social engineering attack works with Medium blogs. However, it should be noted that Wikipedia provides a curated, authoritative source that people trust, whereas Medium blogs are less known and author-controlled. Stewart and Keplinger, following responsible disclosure practices, reported this activity to Slack.
A complete attack chain for the Wiki-Slack attack can follow either targeted or opportunistic campaign properties. A targeted attack involves targeting organizations known to have Slack – an easy Open-Source Intelligence exercise – and constructing Wikipedia entries for them to get their attention, while an opportunistic attack looks to weaponize the most popular Wikipedia pages, approaching a watering-hole style attack.
The Wiki-Slack Attack is an authoritative user redirection attack to drive victims to an attacker-controlled website. From there, the attacker must provide their own malware for users to download and execute. Browser-based attacks, of course, shouldn’t be underestimated, given they are one of the primary types of initial access malware observed leading to Ransomware today, including BatLoader, Nitrogen, Gootloader, SolarMarker, and SocGholish.
The attack starts when a Wikipedia link is shared in Slack under three conditions:
This will cause Slack to mishandle the whitespace between the first and second paragraph, spontaneously generating a new link in Slack (Figure 1). If we look directly at the Wikipedia page, we can see this generated link doesn’t exist there (Figure 2). We have found over 1,000 organic occurrences of this artifact (Figure 3).
If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it. Because of the diminishing returns along the chain of this attack, it becomes a numbers game. One way to conceptualize this is an analog of the “marketing funnel” in which companies drive Internet traffic to eventually become sales conversions. We leverage this concept to adopt the “attack funnel” (Figure 4).
Thus, the more Wikipedia pages an attacker can deface and register domains for, the higher the chances of eventually infecting someone of interest. Further, we can leverage Wikipedia Statistics to choose Wikipedia pages that already generate high volumes of traffic (Figure 5). In it, we see a popular option, ChatGPT, is already organically halfway to a Wiki-Slack attack. One would just need to edit Wikipedia under the guise of “more concise wording” to get a TLD out front in the second sentence (Figure 6).
In a targeted attack flow, we want to first do a little background research on our target. For one, we want to ensure they have Slack. Organizations tend to advertise their tech stack in job postings (Figure 7). We can also take an automated approach leveraging something like python’s requests to iterate through a list of companies and automatically select the ones with Slack, given the response code in the request (Figure 8).
Finally – and because the Wiki-Slack attack is a numbers game – we want to leverage ChatGPT or similar Large Language Model (LLM) to scale out the attack and cover a large attack surface in a short time. ChatGPT is well aware of how to create both web pages and Wikipedia pages. So all we need to do is simply request it do so for a particular subject which we are interested in (Figure 9). We can augment this by scraping data about subjects or targets from articles written after 2021 (Figure 10), since ChatGPT won’t have any information post 2021.
As the security community has evolved phishing awareness training and organizations have implemented email security appliances that block most malicious spam, social engineering attacks via browser-based downloads are becoming the primary infection vector. To keep your organization protected:
If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.