Using Microsoft Teams GIFs really is an awful idea
A GIF can be used to launch malicious code in Microsoft Teams, research claims
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
MicrosoftTeams users are currently able to share GIF files to more accurately describe their emotions to their colleagues - however experts have warned that cybercriminals can also use them to execute malicious commands and steal sensitive data without being spotted byantivirustools.
Cybersecurity consultant and pentester Bobby Rauch discovered a couple of vulnerabilities in thevideo conferencingplatform that, when chained together, can result in data exfiltration and malicious code execution.
It’s quite the endeavor, too, as the attacker needs to do a number of things, including getting the victim to first download and install a malicious stager capable of executing commands and uploading command output via GIF urls to Microsoft Teams web hooks. The stager will scanMicrosoft Teamslogs where, allegedly, all received messages are saved and readable by all Windows user groups, regardless of their privilege levels.
Using the stager
After setting up the stager, the attacker would need to create a new Teams tenant, and reach out to other Teams members outside the organization. This, the researcher says, isn’t that challenging, given that Microsoft allows external communication by default. Then, by using the researcher’s Python script called GIFShell, the attacker can send out a malicious .GIF file capable of executing commands on the target endpoint.
Both the message, and the .GIF file, will end up in the logs folder, under the watchful eye of the stager. This tool will then extract the commands from the .GIF and run them on the device. The GIFShell PoC can then use the output and convert it to base64 text, and use that as a filename for a remote .GIF, embedded in a Microsoft Teams Survey Card. The stager then submits that card to the attacker’s public Microsoft Teams web hook. Then, Microsoft’s servers will connect back to the attacker’s server URL to retrieve the .GIF. GIFShell will then receive the request and decode the filename, giving the threat actor clear visibility of the output of the command run on the targetendpoint.
Microsoft Teams is getting an under-the-hood upgrade to boost performance>Microsoft Teams is getting a basic but mighty new security feature>These are the best firewalls right now
The researcher also added that there’s nothing stopping the attackers from sending out as many GIFs as they like, each with different malicious commands. What’s more, given that the traffic seemingly comes from Microsoft’s own servers, it will be deemed legitimate by cybersecurity tools, and not flagged.
When notified of the findings, Microsoft said it wouldn’t address them, as they’re not necessarily bypassing security boundaries.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“For this case, 72412, while this is great research and the engineering team will endeavor to improve these areas over time, these all are post exploitation and rely on a target already being compromised,” Microsoft apparently told Rauch.
“No security boundary appears to be bypassed. The product team will review the issue for potential future design changes, but this would not be tracked by the security team.”
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
7 myths about email security everyone should stop believing
Best Usenet client of 2024
Your doctor may have an AI assistant taking notes during your next Zoom call
