Amidst the COVID-19 breakout, the exponential rise in cyber threats are observed on the online video conferencing apps such as Microsoft teams, ZOOM, GoToMeeting. Lots of company employees, educational institutes are using these services to easily manage Work at Home campaigns. On very recent research held by cybersecurity research firm, CyberArk has found major bug on the Microsoft teams web servers which puts its organizational data at stake. 

ap4

What is Microsoft Teams? 

Microsoft Teams is a joint communication and collaboration platform that combines persistent workplace chat, enhanced video conference meetings, file storage (including collaboration on files), and application integration. Apart, Microsoft Teams is a growing competitor to its relative service providing (API)Application Programming Interfaces such as ZOOM, google meeting, GoToMeeting. 

It was created in 2017 during an internal hackathon at the company, and is currently led by Brian MacDonald, Corporate Vice President at Microsoft.  

INSTANT FEATURES: 

  • It allows organizational members to join through a specific URL or invitation sent by a  administrator or host.  
  • It allows a better UI which enhances its appearance also it provides better calling interface including (VoIP)Voice over internet protocol. Teams supports public switched telephone network (PSTN) conferencing allowing users to call phone numbers from the client. 
  • User can host their own meeting which can be scheduled accordingly and users visiting the channel will be able to see that a meeting is currently in progress. Teams also has a plugin for Microsoft Outlook to invite others into a Teams meeting. 
  • During this lockdown, Educational institutes are fascinating their student to study via WORK FROM HOME CAMPAIGN. Teams for Education allows admins and teachers to set up specific teams for classes, professional learning communities (PLCs), faculty members. 

Methodology: 

The main ideology behind the attack is, attacker sends out a GIF that only had to be seen by the receiver, in order for it to send a valuable access token back to a compromised server. 

Security firm CyberArk has found two potentially vulnerable sub domains: 

  1. aadsync-test.teams.microsoft.com 
  2. data-dev.teams.microsoft.com 

Intruders are able to abuse a JSON Web Token (“authtoken”) and a second “skype token”. The attack simply involved tricking a victim into viewing a malicious GIF image for it to work. The GIF image is binded with a payload that can access the JSON web tokens and Skype token, the combination of these two tokens are used by Microsoft to allow a Teams user to see images shared with them – or by them – across different Microsoft servers and services such as SharePoint and Outlook. 

Microsoft has neutralized the new threat last Monday, updating misconfigured DNS records, after researchers reported the vulnerability on March 23. 

These web tokens are nothing but cookies, the “authtoken” and “skypetoken_asm” cookie is sent to teams.microsoft.com  or any sub-domain under *.teams.microsoft.com to authenticate GIF sender and receiver. 

The weakness relies in the application programming interfaces (APIs) which is used to facilitate the communication between services and servers.All the captured token are able to make calls/actions through Teams API interfaces, which enables you send messages, read messages, create groups, add new users or remove users from groups, modify administrative permissions in groups, etc. 

Although the intrude cannot get access to the highest system privilege, still they could use the account to traverse throughout an organization (just like a worm). Eventually, the attacker could access all the data from your organization Teams accounts – gathering confidential information, competitive data, files, credentials, confidential information, business plans, etc. 

Intruders can eventually manipulate and somehow trick the user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server via web request, and the attacker after receiving the authtoken can create a Skype token.  

All of these combined stuffs results the attacker to gain access over Microsoft team account user data. 

ap2

Any prevention? 

The above-mentioned exploit is purely a server-side bug, the web server/company itself needs to fix this bug. According to recent report, Researchers said they have worked with Microsoft Security Research Centre after evaluation of the exploited subdomains, Microsoft have quickly deleted the misconfigured DNS records of the two subdomains, which mitigated the problem. 

The two compromised sub domains have been patched by Microsoft and a new app update has been released. It is advised to all the organizational members to update their application to its latest versions available on web stores.