You Have A New Message From a Hacker: Malicious Files Infiltrating Business File Transfer Portals

January 19, 2021

In order to conduct business operations efficiently and effectively, organizations need to be able to transfer files to relevant parties. That includes transferring files internally between departments, such as Human Resources sending tax forms completed by a new hire to Finance, or sending and receiving files from external sources and third-parties. Many organizations rely on file hosting services, business communication platforms, project management softwares, etc. to achieve these objectives. The use of these programs has significantly increased since the shift to teleworking began as a result of the COVID-19 pandemic. 

As a result, organizations must be cognizant of the file-borne threats not only in their email channels but also in business file transfer portals because hackers will never miss an opportunity to take advantage of a new or recently popular threat vector. 

File-borne threats can take a variety of forms

Hackers are able to leverage files to infiltrate corporate networks to infect systems, spread malware and deploy ransomware. There are numerous ways threat actors can infect files with malicious activity. File formats can be injected with installers that load infostealers on infected devices. This leads to the gathering of basic system information and the scanning of applications, such as email. Additionally, macros inside of files — typically Microsoft Office files — can be altered for nefarious purposes. Malicious code is embedded inside of the macro, causing it to run as soon as it is opened and spread malware. 

File hosting services, business communication platforms, and project management softwares serve as attractive threat vectors for cybercriminals due to the amount of trust employees have in these technologies. Users are more likely to be tricked into engaging with malicious files in these programs due to their assumed association with business activities. 

Infiltrating project management softwares 

Project management software helps employees stay on top of tasks by facilitating collaboration among team members through simplified file sharing. Threat actors have distributed malicious executables using public download links, as seen with Basecamp. In this case, corporate networks were compromised once a stealthy backdoor Trojan from TrickBot was deployed. This enables the threat actor group to access the network and ultimately deploy Ryuk ransomware.  

Infiltrating business communication platforms 

The surge of teleworking employees has forced organizations to leverage business communication platforms as a way for employees to communicate from wherever they are. These platforms go beyond instant messaging to include capabilities such as file sharing and multimedia attachments. A recent phishing attack leveraging Slack involved an email that directed users to a malicious PDF file hosted on slack-files.com site within a Slack-branded workspace. In cases such as this, threat actors seek to steal employees’ credentials and gain access to sensitive data or advance through an organization’s network and spread malware. Additionally, hackers can use image steganography techniques to inject malicious code within an innocent-looking image that deploys a payload once downloaded. 

Infiltrating file hosting services

File hosting services allow organizations to upload files onto the internet and share among relevant parties. Popular corporate file hosting services include Microsoft OneDrive, GoogleDrive, and DropBox. A recent attack leveraging GoogleDrive created push notifications or emails that invited people to collaborate on a Google doc that hosted malicious links. The malicious activity was sent from Google’s no-reply address and used sophisticated social engineering tactics that lured users into engaging with the malicious content. Additionally, botnets have been discovered abusing DropBox’s API to fetch attack instructions and upload attack reports from the spreading bots.

Votiro secures all file uploads and downloads while allowing employees to interact with documents completely risk-free

As the coronavirus pandemic continues to surge and the use of file transfer portals increases, enterprises should be aware of the file-borne threats targeting these applications. Votiro’s Positive Selection™ technology empowers organizations to download files from wherever they are and receive incoming files from company web applications completely risk-free. 

Whenever employees download a file, they open your business up to attack. Threats often hide inside innocent-looking files, making them incredibly hard to spot, no matter how much training employees may have. And because today’s detection-based tools aren’t designed to catch every threat, organizations roll the dice with each download. Votiro goes beyond scanning for suspicious elements and blocking malicious files. Positive Selection™ technology singles out only the safe elements of each file, ensuring every file that enters your organization is 100% safe