Single Malicious GIF Opened Microsoft Teams to Nasty Attack

2020-04-27T05:21:27

Description

Microsoft has fixed a subdomain takeover vulnerability in its collaboration platform Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts. The attack simply involved tricking a victim into viewing a malicious GIF image for it to work, according to researchers at CyberArk who also created [a proof-of-concept (PoC) of the attack](<https://cyberark.wistia.com/medias/f4b25lcyzm>). Microsoft neutralized the threat last Monday, updating misconfigured DNS records, after researchers reported the vulnerability on March 23.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)“Even if an attacker doesn’t gather much information from a [compromised] Teams’ account, they could use the account to traverse throughout an organization (just like a worm),” wrote Omer Tsarfati, CyberArk cyber security researcher, in a [technical breakdown of its discovery Monday](<https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/>). “Eventually, the attacker could access all the data from your organization Teams accounts – gathering confidential information, competitive data, secrets, passwords, private information, business plans, etc.” The attack involves malicious actors being able to abuse a JSON Web Token (“authtoken”) and a second “skype token”. The combination of these two tokens are used by Microsoft to allow a Teams user to see images shared with them – or by them – across different Microsoft servers and services such as SharePoint and Outlook. The weakness is in the application programming interfaces (APIs) used to facilitate the communication between services and servers, Tsarfati said. The TL;DR version of the hack is, Microsoft validates the cookie called “authtoken” and “skype token” via *.teams.microsoft.com. Next, researchers were able to isolate and manipulate the tokens for the PoC attack. The “authtoken” and “skypetoken_asm” cookie is sent to teams.microsoft.com – or any sub-domain under teams.microsoft.com to authenticate GIF sender and receiver, Tsarfati wrote. As part of CyberArks research, they found two insecure Microsoft subdomains “aadsync-test.teams.microsoft.com” and “data-dev.teams.microsoft.com” ripe for takeover. “If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving the authtoken) can create a Skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” the research said. “Now with both tokens, the access token (authtoken) and the Skype token, [an attacker] will be able to make APIs calls/actions through Teams API interfaces – letting you send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups,” researchers wrote. The novel aspect of this PoC is that all it takes to trigger the hack is the target of the attack viewing a malicious GIF sent by the rogue Teams user. “The reason that Teams sets the ‘authtoken’ cookie is to authenticate the user for loading images in domains across Teams and Skype,” explained the researcher. “When the victim opens this message, the victim’s browser will try to load the image and will send the authtoken cookie to the compromised sub-domain.” This allows the attacker to get their hands on the victim’s “authtoken” and ultimately provides a pathway to access the victim’s Microsoft Teams data. “The fact that the victim needs only to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts. The vulnerability can also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps,” researcher wrote. Researchers said they worked with Microsoft Security Research Center after finding the account takeover vulnerability on March 23. They said Microsoft quickly deleted the misconfigured DNS records of the two subdomains, which mitigated the problem. **_Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://attendee.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://attendee.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**

{"id": "THREATPOST:0515CA2AF90C54952C22FB5F56B898C2", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Single Malicious GIF Opened Microsoft Teams to Nasty Attack", "description": "Microsoft has fixed a subdomain takeover vulnerability in its collaboration platform Microsoft Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization\u2019s Teams accounts.\n\nThe attack simply involved tricking a victim into viewing a malicious GIF image for it to work, according to researchers at CyberArk who also created [a proof-of-concept (PoC) of the attack](<https://cyberark.wistia.com/medias/f4b25lcyzm>).\n\nMicrosoft neutralized the threat last Monday, updating misconfigured DNS records, after researchers reported the vulnerability on March 23.[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\u201cEven if an attacker doesn\u2019t gather much information from a [compromised] Teams\u2019 account, they could use the account to traverse throughout an organization (just like a worm),\u201d wrote Omer Tsarfati, CyberArk cyber security researcher, in a [technical breakdown of its discovery Monday](<https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/>). \u201cEventually, the attacker could access all the data from your organization Teams accounts \u2013 gathering confidential information, competitive data, secrets, passwords, private information, business plans, etc.\u201d\n\nThe attack involves malicious actors being able to abuse a JSON Web Token (\u201cauthtoken\u201d) and a second \u201cskype token\u201d. The combination of these two tokens are used by Microsoft to allow a Teams user to see images shared with them \u2013 or by them \u2013 across different Microsoft servers and services such as SharePoint and Outlook.\n\nThe weakness is in the application programming interfaces (APIs) used to facilitate the communication between services and servers, Tsarfati said. The TL;DR version of the hack is, Microsoft validates the cookie called \u201cauthtoken\u201d and \u201cskype token\u201d via *.teams.microsoft.com. Next, researchers were able to isolate and manipulate the tokens for the PoC attack.\n\nThe \u201cauthtoken\u201d and \u201cskypetoken_asm\u201d cookie is sent to teams.microsoft.com \u2013 or any sub-domain under teams.microsoft.com to authenticate GIF sender and receiver, Tsarfati wrote.\n\nAs part of CyberArks research, they found two insecure Microsoft subdomains \u201caadsync-test.teams.microsoft.com\u201d and \u201cdata-dev.teams.microsoft.com\u201d ripe for takeover.\n\n\u201cIf an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim\u2019s browser will send this cookie to the attacker\u2019s server, and the attacker (after receiving the authtoken) can create a Skype token. After doing all of this, the attacker can steal the victim\u2019s Teams account data,\u201d the research said.\n\n\u201cNow with both tokens, the access token (authtoken) and the Skype token, [an attacker] will be able to make APIs calls/actions through Teams API interfaces \u2013 letting you send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups,\u201d researchers wrote.\n\nThe novel aspect of this PoC is that all it takes to trigger the hack is the target of the attack viewing a malicious GIF sent by the rogue Teams user.\n\n\u201cThe reason that Teams sets the \u2018authtoken\u2019 cookie is to authenticate the user for loading images in domains across Teams and Skype,\u201d explained the researcher. \u201cWhen the victim opens this message, the victim\u2019s browser will try to load the image and will send the authtoken cookie to the compromised sub-domain.\u201d\n\nThis allows the attacker to get their hands on the victim\u2019s \u201cauthtoken\u201d and ultimately provides a pathway to access the victim\u2019s Microsoft Teams data.\n\n\u201cThe fact that the victim needs only to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts. The vulnerability can also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps,\u201d researcher wrote.\n\nResearchers said they worked with Microsoft Security Research Center after finding the account takeover vulnerability on March 23. They said Microsoft quickly deleted the misconfigured DNS records of the two subdomains, which mitigated the problem.\n\n**_Inbox security is your best defense against today\u2019s fastest growing security threat \u2013 phishing and Business Email Compromise attacks. [On May 13 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/5064791868226032141?source=ART>), join Valimail security experts and Threatpost for a FREE webinar, [5 Proven Strategies to Prevent Email Compromise](<https://attendee.gotowebinar.com/register/5064791868226032141?source=ART>). Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please [register here ](<https://attendee.gotowebinar.com/register/5064791868226032141?source=ART>)for this sponsored webinar._**\n", "published": "2020-04-27T05:21:27", "modified": "2020-04-27T05:21:27", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/single-malicious-gif-opened-microsoft-teams-to-nasty-attack/155155/", "reporter": "Tom Spring", "references": ["https://cyberark.wistia.com/medias/f4b25lcyzm", "https://threatpost.com/newsletter-sign/", "https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/", "https://attendee.gotowebinar.com/register/5064791868226032141?source=ART", "https://attendee.gotowebinar.com/register/5064791868226032141?source=ART", "https://attendee.gotowebinar.com/register/5064791868226032141?source=ART"], "cvelist": [], "immutableFields": [], "lastseen": "2020-04-27T15:04:05", "viewCount": 195, "enchantments": {"dependencies": {"references": []}, "score": {"value": 0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:A9423F36D5DAEF9F34A1134FC35E5AD0"]}]}, "exploitation": null, "vulnersScore": 0.1}, "_state": {"dependencies": 1678918916, "score": 1678917189, "epss": 1678939848}, "_internal": {"score_hash": "af2f009aa95617d7ae14b9d8943a2a4a"}}