Microsoft Teams and Zoom can be hijacked to give hackers the keys to your kingdom

News
By published

Microsoft Teams and Zoom can hide malicious traffic

Microsoft Teams on an iPhone
(Image credit: Shutterstock - Natee Meepian)
  • Experts say Microsoft Teams and Zoom are perfect for hiding Ghost Calls
  • Attackers can obtain temporary TURN credentials and create a tunnel
  • Vendors must implement safeguards, because there are no vulnerabilities in sight

Researchers from Praetorian have shed the light on Ghost Calls, a post-exploitation command-and-control evasion technique which send attacker traffic through legitimate Traversal Using Relays around NAT (TURN) servers used by the likes of Zoom and Microsoft Teams, to evade detection.

The attack works by hijacking the temporary TURN credentials that conferencing calls receive when they join a meeting, and then establishing a tunnel between the compromised host and the attacker's machine.

Because all the traffic is routed through trusted Zoom/Teams IPs and domains, which are typically whitelisted inside enterprises, these types of hijacking attacks can fly under the radar.

Teams and Zoom susceptible to attacks

Praetorian explained that because the attack leverages infrastructure already allowed through corporate firewall,s proxies and TLS inspection, Ghost Calls can easily evade traditional defenses.

Blending traffic with normal, low-latency video meeting traffic patterns also helps the cybercriminals, who can eliminate the exposure of attacker-controlled domains and servers

Praetorian explains in the first of its two blog posts that video conferencing platforms "are designed to function even in environments with relatively strict egress controls," so if an attacker can crack into these systems, they could have a higher chance of data exfiltration.

"Additionally, this traffic is often end-to-end encrypted using AES or other strong encryption. This means the traffic is naturally heavily obfuscated and impossible to analyze in depth which makes it a perfect place to hide as an attacker," the researchers added.

TURN credentials typically expire after two to three days, so tunnels are short-lived, but alarmingly, Praetorian explains that there isn't necessarily a vulnerability for vendors to patch, adding that they must instead focus on introducing further safeguards to prevent against Ghost Call attacks.

You might also like

TOPICS
Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.