- Experts say Microsoft Teams and Zoom are perfect for hiding Ghost Calls
- Attackers can obtain temporary TURN credentials and create a tunnel
- Vendors must implement safeguards, because there are no vulnerabilities in sight
Researchers from Praetorian have shed the light on Ghost Calls, a post-exploitation command-and-control evasion technique which send attacker traffic through legitimate Traversal Using Relays around NAT (TURN) servers used by the likes of Zoom and Microsoft Teams, to evade detection.
The attack works by hijacking the temporary TURN credentials that conferencing calls receive when they join a meeting, and then establishing a tunnel between the compromised host and the attacker’s machine.
Because all the traffic is routed through trusted Zoom/Teams IPs and domains, which are typically whitelisted inside enterprises, these types of hijacking attacks can fly under the radar.
Teams and Zoom susceptible to attacks
Praetorian explained that because the attack leverages infrastructure already allowed through corporate firewall,s proxies and TLS inspection, Ghost Calls can easily evade traditional defenses.
Blending traffic with normal, low-latency video meeting traffic patterns also helps the cybercriminals, who can eliminate the exposure of attacker-controlled domains and servers
Praetorian explains in the first of its two blog posts that video conferencing platforms “are designed to function even in environments with relatively strict egress controls,” so if an attacker can crack into these systems, they could have a higher chance of data exfiltration.
“Additionally, this traffic is often end-to-end encrypted using AES or other strong encryption. This means the traffic is naturally heavily obfuscated and impossible to analyze in depth which makes it a perfect place to hide as an attacker,” the researchers added.
TURN credentials typically expire after two to three days, so tunnels are short-lived, but alarmingly, Praetorian explains that there isn’t necessarily a vulnerability for vendors to patch, adding that they must instead focus on introducing further safeguards to prevent against Ghost Call attacks.
