Using Microsoft Teams GIFs really is an awful idea
Date:
Mon, 12 Sep 2022 16:01:14 +0000
Description:
Experts claims a GIF can launch malicious code, but Microsoft disagrees.
FULL STORY ======================================================================
Microsoft Teams users are currently able to share GIF files to more
accurately describe their emotions to their colleagues - however experts have warned that cybercriminals can also use them to execute malicious commands
and steal sensitive data without being spotted by antivirus tools.
Cybersecurity consultant and pentester Bobby Rauch discovered a couple of vulnerabilities in the video conferencing platform that, when chained together, can result in data exfiltration and malicious code execution.
Its quite the endeavor, too, as the attacker needs to do a number of things, including getting the victim to first download and install a malicious stager capable of executing commands and uploading command output via GIF urls to Microsoft Teams web hooks. The stager will scan Microsoft Teams logs where, allegedly, all received messages are saved and readable by all Windows user groups, regardless of their privilege levels. Using the stager
After setting up the stager, the attacker would need to create a new Teams tenant, and reach out to other Teams members outside the organization. This, the researcher says, isnt that challenging, given that Microsoft allows external communication by default. Then, by using the researchers Python script called GIFShell, the attacker can send out a malicious .GIF file capable of executing commands on the target endpoint.
Both the message, and the .GIF file, will end up in the logs folder, under
the watchful eye of the stager. This tool will then extract the commands from the .GIF and run them on the device. The GIFShell PoC can then use the output and convert it to base64 text, and use that as a filename for a remote .GIF, embedded in a Microsoft Teams Survey Card. The stager then submits that card to the attackers public Microsoft Teams web hook. Then, Microsofts servers will connect back to the attackers server URL to retrieve the .GIF. GIFShell will then receive the request and decode the filename, giving the threat
actor clear visibility of the output of the command run on the target
endpoint . Read more
Microsoft Teams is getting an under-the-hood upgrade to boost performance
Microsoft Teams is getting a basic but mighty new security feature
These are the best firewalls right now
The researcher also added that theres nothing stopping the attackers from sending out as many GIFs as they like, each with different malicious
commands. Whats more, given that the traffic seemingly comes from Microsofts own servers, it will be deemed legitimate by cybersecurity tools, and not flagged.
When notified of the findings, Microsoft said it wouldnt address them, as theyre not necessarily bypassing security boundaries.
"For this case, 72412, while this is great research and the engineering team will endeavor to improve these areas over time, these all are post exploitation and rely on a target already being compromised," Microsoft apparently told Rauch.
"No security boundary appears to be bypassed. The product team will review
the issue for potential future design changes, but this would not be tracked by the security team." These are the best online collaboration tools around
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/using-microsoft-teams-gifs-really-is-an-awful-i dea/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)