Microsoft has warned about hackers taking advantage of its collaboration platform, Teams. Attackers use Teams to gather information, trick users into sharing sensitive data, impersonate trusted sources, deliver malware through messages and calls, and even steal credentials, exfiltrate data, and maintain persistence.
Teams has become a high-value target for cybercriminals and state-sponsored attackers, as it can be abused at nearly all points along the attack chain.
The Microsoft Threat Intelligence team has released a report recommending that admins harden the environment's security with countermeasures and controls across identity, endpoints, data apps, and network layers.
Swiss army knife for hackers
Teams can be abused for malicious activities in numerous mind-boggling ways.
It all starts with reconnaissance. Hackers can abuse Teams to enumerate less secure users, groups, tenants, and external access.
“There are anonymous participants, guests, and external access users,” Microsoft warns.
Unless Privacy mode is enabled, hackers will see the user’s current availability and status outside the organization, can attempt to participate in external meetings, and chat with people, including those outside the organization. Many open-source tools can help collect and filter information.
In the resource development phase, attackers might use social engineering to create and compromise existing tenants or impersonate trusted users.
“It should come as no surprise that if they can build a persona for social engineering, they will take advantage of the same resources as legitimate organizations, including custom domains and branding, especially if it can lend credibility to impersonating internal help desk, admin, or IT support,” Microsoft explains.
Hackers will use convincing pretexts to compromise targets through chat messaging or phone calls. The Redmond giant warns that threat actors might even actually purchase legitimate tenants when they’re confident they will profit from it.
Curious what others think about this story? Contribute your thoughts to the debate below.
For the actual compromise and initial access, hackers need to deliver information-stealing malware, which leads to credential theft, extortion, and ransomware.
Teams is a useful medium for tech support scams, which remain popular for malware delivery, but hackers are always coming up with new variants. Microsoft noted the rise in email bombing (sending large volumes of emails) to create a sense of urgency.
A threat actor labeled Storm-1811 previously impersonated tech support, claiming to be addressing junk email issues that it had initiated.
Russian hackers from Midnight Blizzard have been imitating security and tech support teams, urging targets to “verify their identities under the pretext of protecting their accounts by entering authentication codes.”
“With threat actors leveraging deepfakes, perceived authority helps make this kind of social engineering even more effective,” Microsoft said.
Some of the previous examples of how threat actors delivered ransomware or other malware via Teams include:
- Storm-1674, an access broker, has used sophisticated red teaming tools, like TeamsPhisher, to distribute DarkGate and others.
- A threat actor impersonated a client during a Teams call to persuade a target to install the remote access tool AnyDesk, which was later used to deploy malware.
- Hackers can direct users on Team to malicious websites.
- Widely available admin tools, such as AADInternals, could be leveraged to deliver malicious links and payloads directly into Teams.
- Malicious ads in search results misdirect users to fake download sites hosting credential-stealing malware, spoofing Teams.
Even when compromises were detected, attackers used Teams for persistence by stealing accounts, adding guest accounts, and hacking features such as shortcuts in the Startup folder to execute malicious tools or Sticky Keys.
“Apart from admin accounts, which are an attractive target because they come with elevated privileges, threat actors try to trick everyday Teams users into clicking links or opening files that lead to malicious code execution, just like through email,” the researchers explain.
However, the Teams admin role grants permissions to use the admin tools that belong to that role.
Access leads to data theft
Attackers with an initial foothold use maliciously repurposed tools to intercept access tokens and other credentials or bypass multi-factor authentication.
“To refine targeting, threat actors analyze Teams configuration data from API responses, enumerate Teams apps if they obtain unauthorized access, and search for valuable files and directories by leveraging toolkits for contextualizing potential attack paths,” the report reads.
With gathered details on users, roles, groups, applications, and devices, Teams can also be used for lateral movement. Attachers have been observed leveraging external communication settings and using compromised accounts to impersonate companies.
For example, one threat actor with compromised Team accounts impersonated IT personnel and convinced a user in another organization to accept a chat request and grant access through a remote connection.
“They could try to mine Teams for any information perceived as useful in furtherance of their objectives, including pivoting from a compromised account to data accessible to that user from OneDrive or SharePoint.”
Teams can also be abused for command-and-control. Hackers have been sending commands through Teams messages or embedded data.
Ultimately, Teams messages and shared links can serve as direct data exfiltration to a cloud storage tool. Hackers might even send ransom notes via Teams.
“Octo Tempest has used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics,” Microsoft noted.
Abuse for malicious activities is not unique to Teams. Microsoft provides detailed guidance for Teams protection, emphasizing the importance of strengthened identity protection, endpoint security, and other network defences.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked