Microsoft disclosed a worm vulnerability in its video chat and office collaboration platform(Microsoft Teams), which may permit attackers to take care of an complete record of group team accounts by merely sending an evil link to an innocent-looking image. A vulnerability affecting each the desktop and web variations of the application was found by cybersecurity researchers at CyberArk. After accountable disclosure of the outcomes on March 23, Microsoft fixed the vulnerability in an update launched on April 20.
“Even if an attacker does not collect a lot of information from a team account, he can still use this account to view the entire organization (for example, a worm),” mentioned Omer Tsarfati from CyberArk.
“Ultimately, an attacker can gain access to all the data in the team accounts of your organization – by collecting confidential information, meeting and calendar information, competitive data, secrets, passwords, personal information, business plans, etc.”
Evolution happens when video conferencing software equivalent to Zoom and Microsoft Teams expertise unprecedented progress in demand as companies, college students, and even authorities officers around the globe are pressured to work and talk at home with the coronavirus pandemic.
Subdomain Capture Vulnerability
The drawback is that Microsoft Teams manages image useful resource authentication. Each time the application opens, an entry token, a JSON web token (JWT), is created in the course of the process, permitting the user to view images exchanged between folks or different individuals in a dialog.
CyberArk researchers discovered that they had been capable of get a cookie (known as “authtoken”) that gives entry to the useful resource server (api.areas.skype.com), and used it. create the aforementioned “Skype token”, thus offering unhindered permissions to ship messages, read messages, create teams, add new customers or remove customers from teams, change permissions in teams by means of the command API, however that’s not all.
Since the cookie of the approved file is configured to be despatched to teams.microsoft.team or to one among its subdomains, the researchers discovered two subdomains (aadsync-test.teams.microsoft.com and data-dev). .teams.microsoft.com) that had been vulnerable to takeovers.
“If an attacker can force a user to visit subdomains that were captured, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving an authorized token) can create a Skype token,” the researchers mentioned. “After that, the attacker can steal account information to the victim’s teams. ”
Now armed with compromised subdomains, an attacker may exploit the vulnerability by merely sending a malicious link, equivalent to a GIF, to an unsuspecting victim or all contributors in a gaggle dialog. Therefore, when the recipients open the message, the browser tries to obtain the image, however not earlier than sending approved cookies to the compromised subdomain.
The unhealthy actor can then use this authorization file to create a Skype token and, due to this fact, achieve entry to all of the victim’s data. Worse, an attack can be launched by any stranger if the interplay features a chat interface, equivalent to a convention name invitation for a potential interview.
“The victim will never know that he was attacked, which makes the use of this vulnerability secretive and dangerous,” the researchers mentioned.
Videoconferencing attacks on the rise
The transition to remote work within the context of the continuing COVID-19 pandemic and the elevated demand for video conferencing services has turn out to be a worthwhile tactic for attackers to steal credentials and unfold malware.
Recent research by Proofpoint and Abnormal Security have recognized social engineering campaigns asking customers to hitch a Zoom assembly or repair a Cisco WebEx security vulnerability by clicking on malicious hyperlinks designed to steal login information.
In the face of those rising threats, customers are suggested to watch out for phishing attacks and preserve video conferencing software updated.