GIFShell – New Attack Method That Allows Attackers to Steal Data Using Microsoft Teams GIFs

A cybersecurity consultant and pentester, Bobby Rauch just lately figured out that risk actors are abusing Microsoft Teams by executing phishing assaults the dispute of a brand new assault components identified as GIFshell. The usage of GIFs to originate covert commands for the reason of stealing files.

With the dispute of this new design, attackers can design complex assaults that exploit a fluctuate of weaknesses in Microsoft Teams. The risk actors originate so that you might well abuse the legit Microsoft infrastructure to direct and influence:-

• Malicious files
• Illicit commands
• Exfiltrate files thru GIFs

The files is being exfiltrated thru servers which are managed by Microsoft itself. While the predominant trigger of this is to make certain that security map is less doubtless as a technique to detect this web site traffic.

GIFShell

Due to security considerations, no external users are authorized to portion any files with users in yet every other occupant by default. The explanation of this characteristic is to forestall external users from sending malicious attachments thru Microsoft Teams to a user in yet every other organization.

While there shall be no paperclip option on hand so as to add an attachment when one user in one org will are trying to ship any file to yet every other user who’s most up-to-date in yet every other org.

This assault relies totally on a component called GIFShell, which is surely one of the necessary supreme aspects. As a consequence, a reverse shell might presumably per chance even be created by an attacker to direct malicious commands inside Teams by the dispute of base64 encoded GIF files.

In sing to construct GIFShell work, a malicious executable identified because the “stager” is tricked into taking over a user’s map by tricking them into loading it. The Microsoft Teams logs located on the next locations shall be constantly scanned by this executable:-

$HOMEAppDataRoamingMicrosoftTeamsIndexedDBhttps_teams.microsoft.com_0.indexeddb.leveldb*.log.

Following the installation of the stager, a risk actor would design a Microsoft Teams tenant in sing to delivery the assault. After that, they contact the users exterior their organization who’re the dispute of Microsoft Teams.

Microsoft Teams by default enables external verbal exchange, so attackers can with out considerations clutch just appropriate thing about that characteristic to attain salvage admission to to your team.

The stager can extract the base64 encoded commands from a message with a GIF and originate them on a tool when it detects any such message. After that, the output of the accomplished negate will then be transformed to base64 textual articulate material by the GIFShell PoC.

A of this assault is that legit Microsoft Teams community web site traffic is mixed with the output of the GIFShell assault which enables it to covertly exfiltrate files.

In response to the evaluate, Microsoft conceded the evaluate nevertheless suggested that no security boundaries had been breached, so it can presumably per chance presumably now now not be mounted.

Necessities to recite the assault

Right here below we comprise now mentioned the total have to haves to recite the assault:-

• On the attacker’s map, the GIFShell Python script ought to soundless be accomplished.
• On the sufferer’s map, it’s essential to originate the GIFShell Powershell stager.
• Required two Microsoft Azure Organizations or Tenants.
• A minimal of two users ought to soundless be most up-to-date in the organization or tenant of the attacker, and no now now not up to at least one user ought to soundless be most up-to-date in the organization of the sufferer. The explanation of this dispute is to verify the work model of Microsoft Teams.
• Required two Microsoft Teams users for personal dispute. Right here, Microsoft Teams Home Model is venerable for checking out applications supreme.
• An on hand webhook on a Teams channel might presumably per chance even be accessed by any individual.
• You also can resolve any GIF you fancy.
• This IP handle is delivery to the overall public and might presumably per chance even be operated as a listener for incoming requests from the receive.

Mitigations

Right here below we comprise now mentioned the total urged mitigations:-

• Coaching ought to soundless be equipped to users on the importance of now now not clicking on attachments from unknown sources.
• Microsoft Defender for Obtain 22 situation of labor 365 offers a Safe Attachments protection which can presumably per chance help forestall Force-By download assaults on Obtain 22 situation of labor 365.
• NTLM ought to soundless be disabled entirely or SMB signing ought to soundless be enabled.
• In sing to defend some distance flung from NTLM assaults, are trying to guarantee you are going to comprise in save a complex password protection.