Beware of the following… a Malicious Gif sent to victims could let malware scrape data in Microsoft Teams & then spread to other groups.
It has now been discovered that a critical security vulnerability in ‘Microsoft Teams’ desktop & browser could lead to widespread data theft, compromised credentials, ransomware attacks & even corporate espionage.
CyberArk have stated that by that using a sub-domain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to ‘scrape’ user’s data & go on to take over an organisation’s entire portfolio of Teams accounts.
Share
Users would not have to even share the GIF – just to see it to be affected, as it has the ability to spread automatically.
The vulnerability would have affected every user who uses the Teams desktop or web browser version.
Authentication Access
This flaw related to the way Teams passes the authentication access token to image resources. When Teams is opened, the client creates a new temporary token or access token. The access token, in the form of JWT, is created by Microsoft’s authorisation & the authentication server – “login.microsoftonline.com.“
Teams client uses one of the created tokens to allow a user to see images shared with them or by them, because those images are stored on Microsoft’s servers, which applies the authorisation control. Called a “skype token,” it also be seen as a cookie that calls itself “skypetoken_asm.” Microsoft then validates both the authtoken and a second Skype token via *.teams.microsoft.com.
Sub-domains
There appear to be 2 vulnerable Microsoft subdomains – “aadsync-test.teams.microsoft.com” & “data-dev.teams.microsoft.com”.
If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, & the attacker (after getting the authtoken) can create a Skype token. Thus, this then allows the attacker to steal the user’s Teams data.
A proof of concept needs only for the target to view the Gif for this attack to happen.
“The fact that the victim needs only to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts.
The vulnerability can also be sent to groups (Teams), which then makes it even easier for a hostile attacker to get control over users faster & with fewer steps,” it was commented.
Deleted
Researchers worked with the Microsoft Security Research Center under ‘Coordinated Vulnerability Disclosure’ rules after discovering this vulnerability. Microsoft has quickly deleted the misconfigured DNS records of the 2 sub-domains, which were the ones exposed to take-over.
Webroot
Matt Aldridge, a Principal Solutions Architect at Webroot, has advised that remote working policies should be reviewed, & then cross-checked for any security or privacy compliance risks as the user numbers increase.
“Monitoring and detection will need to be improved accordingly. There will be pressure on IT teams to get more users, better, faster & more secure access into their systems remotely, but this should not come at the expense of security and cyber resilience as a whole,” he recommended.
ESET
Jake Moore, Cyber-Security Specialist at ESET, explained that it is interesting that the vulnerability is in the more ‘colloquial’ part of this platform.
“Fighting off strong competition, Teams has been able to hold its head high amongst the fierce battle of whose video conferencing app is the best. Teams has long prided itself on security but has possibly let a vulnerability slip through the net in the form of a GIF. Unless this is patched quickly, I would suggest businesses stick to the more formal procedure on Teams with no added GIF functionality for now,” he further cautioned.
Ingenuity
The ingenuity of the latest generation of hackers, thieves & bad players being spawned in this pandemic environment is such that even more care needs to be taken by users & security professionals alike.
