New Security Risk can Exfiltrate Data using GIFs
An organization’s IT team spends countless hours working to protect from vulnerabilities. Sometimes, they don’t realize however, that configurations in their SaaS apps that have not been hardened create a risk. A perfect example of this is the newly published GIFShell attack, which occurs on Microsoft Teams. Threat actors exploit legitimate features and configurations of the app that haven’t been properly set, and take advantage of it.
Discovered by Bobby Rauch, a GIFShell attack allows threat actors to exploit features in Microsoft Teams that act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools. This attack method requires a device or user that is already compromised.
The main component of this attack allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure.
So How Does it Work?
To create this reverse shell, the attacker must first compromise a computer to plan the malware. The threat actor must convince a user to install the malicious stager, that executes commands and uploads command output via a GIF url to a Microsoft Teams web hook.
Once the stager is in place, the bad actor creates their own Microsoft Teams account and contacts other Teams users outside of the organization.
The attacker then uses a GIFShell Python script to send a message to a Microsoft Teams user that contains a specially crafted GIF. This legitimate GIF image has been modified to include commands to execute on the target’s machine.
When the victim receives the message, the message and the GIF will be stored in Microsoft Teams’ logs. Because Teams runs in the background, the GIF doesn’t even need to be opened in order to execute.
The stager monitors the Teams log and when it finds the GIF, it extracts and runs the commands.
Microsoft’s servers will connect back to the attacker’s server URL to retrieve the GIF, which is named using the base64 encoded output of the executed command.
The GIFShell server running on the attacker’s server will receive this request and automatically decode the data. This allows the attacker to see the output of the command and run it on the victim’s device.
Microsoft recognizes that this type of attack is a problem, even if it doesn’t meet the requirements to classify it as an urgent security fix, according to a report. They “may take action in a future release to help mitigate this technique.”
Rauch claims that “two additional vulnerabilities discovered in Microsoft Teams, a lack of permission enforcement and attachment spoofing,” are present. Microsoft argues that “for this case… these all are post exploitation and rely on a target already being compromised.” Microsoft says that this technique is using legitimate features from Teams, and is not something they can currently mitigate.
However, a view changes to your current configurations can prevent inbound attacks from unknown Teams accounts.
Disable External Access
Teams, by default, allows external senders to send messages to an organizations internal users. Many organizations don’t even realize that their settings allow for external communications. You can strengthen these configurations by:
Disabling External Domain Access: This will prevent people in your organization from finding, calling, chatting or setting up meetings with anyone external to your organization.
Disabling Unmanaged External Teams Start Conversation: This will block your internal teams users from communicating with external users whose accounts are not managed by an organization.
Gain Device Inventory Insight
You can ensure your entire organization’s devices are fully compliant and secure by using an XDR/EDR/Vulnerability Management Solution. Endpoint security tools are a first line of defense against suspicious activity such as accessing a device’s local teams log folder which is used for data exfiltration in GIFShell.
You can even go a step further and integrate a SaaS Security Posture Management (SSPM) solution with your endpoint security tools to gain visibility and context to easily see and manage the risks that stem from these types of configurations, your SaaS users, and their associated devices.
Story via The Hackers News