The Wiki-Slack Attack

What do you get when you share a Wikipedia link on Slack? As eSentire Threat Response Unit (TRU) security researchers Keegan Keplinger and Joe Stewart discovered, threat actors can be presented with a clever way in which to redirect business professionals to attacker-controlled websites.

It works like this. A threat actor selects a subject in Wikipedia that they believe will interest the type of business professionals they are targeting. For example, if the cybercriminals are targeting publicly traded companies, they might select a Wikipedia entry detailing the latest Securities and Exchange Commission’s (SEC) cybersecurity regulations that are being implemented. Because these regulations are necessary for compliance, organizations may be likely to visit the Wikipedia page – a first step in executing the Wiki-Slack attack.

Once the threat actors select a topic in Wikipedia, they will go to the first page of the Wikipedia entry and edit the page, adding a legitimate referenced footnote to the article. The footnote itself is not malicious but it paves the way for a formatting error when the article is shared in Slack. Once certain additional conditions are met – made easy by small grammatical changes to the Wikipedia article, Slack will render a link that is not visible in the original Wikipedia article.

Once a business professional copies and pastes that Wikipedia entry in a Slack channel, the malicious link is rendered. If the grammar around the link is crafted well enough, Slack users are enticed to click it, leading them to an attacker-controlled website where browser-based malware lays in wait.

Browser-based attacks are a new underestimated threat surface that, today, can lead to hands-on ransomware intrusions. Popular examples this year include BatLoader, SocGholish, Nitrogen, and Gootloader. While much of security training today focuses on email-based phishing and malicious attachments, this new paradigm in initial access has begun to dominate initial access vectors for ransomware intrusions.

Stewart and Keplinger also found that this social engineering attack works with Medium blogs. However, it should be noted that Wikipedia provides a curated, authoritative source that people trust, whereas Medium blogs are less known and author-controlled. Stewart and Keplinger, following responsible disclosure practices, reported this activity to Slack.

A complete attack chain for the Wiki-Slack attack can follow either targeted or opportunistic campaign properties. A targeted attack involves targeting organizations known to have Slack – an easy Open-Source Intelligence exercise – and constructing Wikipedia entries for them to get their attention, while an opportunistic attack looks to weaponize the most popular Wikipedia pages, approaching a watering-hole style attack.

The Attack

The Wiki-Slack Attack is an authoritative user redirection attack to drive victims to an attacker-controlled website. From there, the attacker must provide their own malware for users to download and execute. Browser-based attacks, of course, shouldn’t be underestimated, given they are one of the primary types of initial access malware observed leading to Ransomware today, including BatLoader, Nitrogen, Gootloader, SolarMarker, and SocGholish.

The attack starts when a Wikipedia link is shared in Slack under three conditions:

1. The Wikipedia link must contain a reference at the end of the first paragraph.
2. The first word of the second paragraph in the Wikipedia article must be a top-level domain (TLD) such as in, at, com, net, us, etc.
3. The above two conditions must appear in the first 100 words of the Wikipedia article.

This will cause Slack to mishandle the whitespace between the first and second paragraph, spontaneously generating a new link in Slack (Figure 1). If we look directly at the Wikipedia page, we can see this generated link doesn’t exist there (Figure 2). We have found over 1,000 organic occurrences of this artifact (Figure 3).

Opportunistic Attacks

If one does not have ethical guardrails, they can augment the attack surface of the Wiki-Slack attack by editing Wikipedia pages of interest to deface it. Because of the diminishing returns along the chain of this attack, it becomes a numbers game. One way to conceptualize this is an analog of the “marketing funnel” in which companies drive Internet traffic to eventually become sales conversions. We leverage this concept to adopt the “attack funnel” (Figure 4). 

Thus, the more Wikipedia pages an attacker can deface and register domains for, the higher the chances of eventually infecting someone of interest. Further, we can leverage Wikipedia Statistics to choose Wikipedia pages that already generate high volumes of traffic (Figure 5). In it, we see a popular option, ChatGPT, is already organically halfway to a Wiki-Slack attack. One would just need to edit Wikipedia under the guise of “more concise wording” to get a TLD out front in the second sentence (Figure 6).

Targeted Attacks

In a targeted attack flow, we want to first do a little background research on our target. For one, we want to ensure they have Slack. Organizations tend to advertise their tech stack in job postings (Figure 7). We can also take an automated approach leveraging something like python’s requests to iterate through a list of companies and automatically select the ones with Slack, given the response code in the request (Figure 8).

Finally – and because the Wiki-Slack attack is a numbers game – we want to leverage ChatGPT or similar Large Language Model (LLM) to scale out the attack and cover a large attack surface in a short time. ChatGPT is well aware of how to create both web pages and Wikipedia pages. So all we need to do is simply request it do so for a particular subject which we are interested in (Figure 9). We can augment this by scraping data about subjects or targets from articles written after 2021 (Figure 10), since ChatGPT won’t have any information post 2021.

Security Recommendations

As the security community has evolved phishing awareness training and organizations have implemented email security appliances that block most malicious spam, social engineering attacks via browser-based downloads are becoming the primary infection vector. To keep your organization protected:

1. Raise awareness around browser-based attacks, especially those associated with SocGholish, Gootloader, BatLoader, and Nitrogen malware. These tend to follow one of three paths:
   1. Fake Updates – some malware will claim that you need to update your browser, suggesting the user download and execute the browser updates provided. Never do this! Browsers today update on their own behind the scenes.
   2. Search Engine Optimization (SEO) Poisoning – GootLoader favors an attack that takes advantage of users browsing the web looking for business agreement templates and “how to” technical documents. Today, it is best to have a process for document retrieval on the web that allows only trusted sources for download.
   3. Malvertising via Google Ads – Just because the technology you’re looking for is being promoted via a Google Ad, doesn’t mean it’s necessarily safe. Threat actors are now paying for and taking out Google Ads that lead to bogus download sites for known software (such as WinSCP, WireShark, Slack, Telegram, ChatGPT – and the list goes on.)
   4. In the case of the Wiki-Slack attack, be aware that Slack previews can spontaneously generate links that weren’t in the original source material.
2. Employ endpoint monitoring on your workstations. Employees will inevitably download and execute malware when browsing the internet. Endpoint monitoring can catch execution techniques used by most malware, even when LOLBINs (Trusted Windows Processes) are abused by the malware.
3. Build cyber resilience into your processes. When ransomware incidents do happen, a human is in the network. Human operators are creative problem solvers and can get around a single layer of security rather easily.
   1. Have a mindset that compromise will happen. Accepted risk is a necessary part of doing business. Being mentally prepared is the first step to becoming organizationally resilient.
   2. Employ minimum trust. Implement Role-Based Access Control (RBAC): Define and assign roles with specific access privileges based on job responsibilities. Limit access to the minimum necessary resources for each role.
   3. Employ continuous Monitoring and Alerting: Implement monitoring and alerting systems to detect suspicious or unauthorized access.
   4. Set up alerts for unusual activities, such as multiple failed login attempts.
   5. Employ logging – when a hands-on intrusion is under way, proper logging can speed investigations up and help shut down attackers hiding in the VPN pool or on devices where endpoint technology isn’t supported.
   6. Practice inventory discovery and assessments, know what technology you have and when to patch it or reconfigure it. Even when a system doesn’t have an official vulnerability, misconfigurations can leave it vulnerable in other ways.
   7. Be ready to rebuild domain controllers.
   8. Be ready to reset all credentials and redeploy device enrollment to reset device tokens.
   9. Have backup systems and processes so that host isolation of critical systems doesn’t cripple production.

If you’re not currently engaged with a Managed Detection and Response (MDR) provider, we highly recommend you partner with us for security services to disrupt threats before they impact your business. Want to learn more? Connect with an eSentire Security Specialist.