COVID-19 has spurred the use of videoconferencing for businesses worldwide – and this expanded threat surface has lured attackers like moths to a flame. Adding insult to injury, researchers have recently discovered a workaround for a previous patch issued for Microsoft Teams, that would allow a malicious actor to use the service’s updater function to download any binary or malicious payload.
Essentially, bad actors could hide in Microsoft Teams updater traffic, which has lately been voluminous.
“Due to the noisy nature of the [updater] traffic, there is a possibility that malicious traffic hiding there will evade the analyst’s view or even be added to a list of allowed, and therefore unmonitored, list of applications,” explained Reegun Jayapaul, researcher at Trustwave SpiderLabs, in an analysis released on Wednesday.
While Microsoft tried to cut off this vector as a conduit for remote code execution by restricting the ability to update Teams via a URL, it was not a complete fix, the researcher explained.
“The updater allows local connections via a share or local folder for product updates,” Jayapaul said. “Initially, when I observed this finding, I figured it could still be used as a technique for lateral movement, however, I found the limitations added could be easily bypassed by pointing to an…SMB share.”
Server Message Block (SMB) protocol is a network file sharing protocol. To exploit this, an attacker would need to drop a malicious file into an open shared folder – something that typically involves already having network access. However, to reduce this gating factor, an attacker can create a remote rather than local share.
“This would allow them to download the remote payload and execute rather than trying to get the payload to a local share as an intermediary step,” Jayapaul said.
Trustwave has published a proof-of-concept attack that uses Microsoft Teams Updater to download a payload – using known, common software called Samba to carry out remote downloading.
First, the researcher configured a Samba server for remote, public access. Then, a payload that supports the updater framework must be crafted and uploaded to a remote Samba server that has been authenticated from the Windows “Run” function.
“After a successful setup, I initiated the command execution, downloaded remote payload and executed directly from Microsoft Teams Updater, ‘Update.exe,'” the researcher explained.
“Since the installation is in the local user Appdata folder, no privileged access is needed,” he added. “Attackers can use this to masquerade the traffic (especially for lateral movement).”
Microsoft won’t be fixing the problem because “we determined that this behavior is considered to be by design as we cannot restrict SMB source for –update because we have customers that apparently rely on this (e.g. folder redirection),” the company told Trustwave.
To avoid or mitigate an attack, users can implement solutions that look for suspicious connections both inbound and outbound; and IT can install Microsoft Teams under the “Program Files” folder, so an attacker cannot drop and execute the remote payload, according to the researcher. “This can be carried out by Group policy,” Jayapaul said.
Companies can also disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team, he added.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2 p.m. ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.
