Is That a Legit Zoom Call or Are You Getting Hacked?
In the world of cybersecurity, hackers are constantly finding new and creative ways to infiltrate corporate networks. At the Black Hat security conference in Las Vegas, Praetorian Security's Adam Crosser shed light on a particularly insidious attack method that exploits two major video conferencing platforms: Zoom and Teams.
The Risks of Network Hacking
In reality, network hacking is not a fast or flashy process. It's often a gradual and stealthy approach, where hackers slip a tiny program into the network and then send instructions to expand its access. Modern network security aims to prevent this kind of skullduggery by detecting suspicious communication patterns.
However, modern hackers need a connection that doesn't stand out. What makes an ideal connection for short-term command and control? According to Crosser's team, the answer lies in four key criteria: latency, throughput, reach, and trustworthiness. A connection needs to be fast and responsive, with sufficient data transfer capacity; it must be widely available technology; and users and network administrators must trust the platform.
The Attack Technique
Crosser's team identified web conferencing systems like Zoom and Teams as ideal targets for this type of attack. These platforms have built-in features that allow them to bypass network restrictions, such as split tunneling in Microsoft Teams. This means that even if your network security is strict, a video call can still find a way through.
To understand how this works, consider the steps a hacker might take when trying to connect from within a highly secure network. If one technique doesn't work, it will try and try again until it finds a way to connect, or simply fail, prompting a call from the CEO to the IT department.
The TURNt Attack
One of the key technologies used in this attack is called TURN (Traversal Using Relays around NAT), a network protocol for connecting devices that can't easily connect directly. Crosser's team developed an app called TURNt, or TURN tunneler, which exploits this technology to piggyback malicious traffic on legitimate video conferencing connections.
In live demos, the team showed how it was possible to covertly download a file to the victim's system using this technique. The real danger lies in the fact that someone who thinks they're trying to connect to a video call ends up with malware on their company computer, which can steal data, launch ransomware attacks, or compromise the entire firm.
A Vulnerability in Teams
Just before Black Hat, Zoom released a patch that defeats the TURNt attack. However, Microsoft Teams is still vulnerable to this type of exploitation. Crosser noted that this creates an opportunity for researchers to explore and improve security measures in this area.
Conclusion
Adam Crosser's presentation at Black Hat highlighted the importance of staying vigilant against emerging threats. As he concluded, "It's a good entry point for new researchers. Pick a topic, expand on it, see if you can make something that functions." The attack technique described by Crosser serves as a reminder that even the most trusted platforms can be vulnerable to exploitation.