A new attack technique dubbed GIFShell targets Microsoft Teams users and it relies on GIF images to trick users into executing malicious commands!
Discovered by cybersecurity consultant Bobby Rauch, this new attack exploits vulnerabilities in Microsoft Teams as well as elements that are not sufficiently secure. In total, in his report, he listed 7 security vulnerabilities different discoveries in Microsoft Teams.
For example, he mentions the fact that Teams does not perform a full analysis of the Base64 encoded portion of GIFs, which makes it possible to store malicious code there without removing the code corresponding to the GIF itself. Another example is reading log files (in plain text – AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\*.log) of Teams does not require administrator rights or a specific level of privilege, which means that the malware used in this attack can analyze the logs.
This technique is difficult to detect, because it is based on GIF images and the transfer of information is based on Microsoft servers since native functions are used. Therefore, even for an EDR-type security solution, this malicious behavior can be difficult to detect. In an example posted online, we can see that the GIF image allows the attacker to execute a command (and get a reverse shell) when the user opens this image.
Finally, by exploiting these different vulnerabilities, Bobby Rauch managed to bypass various security checks, exfiltrate data and execute commands. It also specifies that this technique is exploitable from a phishing attack.
The latest version of Microsoft Teams still vulnerable
The desktop client of the Microsoft Teams collaboration and videoconferencing solution is affected by this attack, and to be precise, version 1.5.00.11163 is affected as well as earlier versions. Microsoft has been aware of the situation since May and June 2022, where Bobby Rauch made the effort to contact the American company, except that to date, the vulnerabilities are still present, including in the most recent version of Teams. Besides, Microsoft him “would have given permissionto share his work publicly.
According to the information relayed, here is Microsoft’s opinion on the technique described by Bobby Rauch: “It is important to be aware of this type of phishing and, as always, we recommend that users practice good online computing habits, including exercising caution when clicking on links to web pages, opening unknown files or accept file transfers“.
The Redmond firm also specifies: “We have evaluated the techniques reported by this researcher and have determined that the two mentioned do not meet the criteria for an urgent security patch. We are constantly looking for new ways to better resist phishing to keep customers safe and we may take steps in a future release to help mitigate this technique.“
Although there is a real risk associated with this technique, this campaign seems quite complex to implement: this may be the reason why Microsoft has not yet put any emergency patches online. Let’s hope all the same that the vulnerabilities discovered by Bobby Rauch are corrected, especially since he has done a quality job.
To be continued…
Logiciel – OS,Sécurité,Microsoft,Teams,
#Microsoft #Teams #targeted #attack #GIFs