- Experts say that Microsoft and Zoom teams are perfect for hiding ghost calls
- Attackers can obtain temporary turn references and create a tunnel
- Suppliers must implement guarantees, as there are no vulnerabilities in view
Praetorian researchers have enlightened ghost calls, a post-exploitation command and control technique that sends attacker traffic through a legitimate crossing using relays around NAT (Tour) servers used by Zoom and Microsoft teams, to escape detection.
The attack operates by diverting the temporary identification information of turn that conference calls receive when they join a meeting, then by establishing a tunnel between the compromised host and the attacker’s machine.
Since all traffic is sent via IP and zoom / trusted teams, which are generally listed in the white list inside companies, these types of diversion attacks can fly under the radar.
Teams and zoom sensitive to attacks
Praetorian explained that because the attack exploits the infrastructure already authorized through the firewall, SS proxies and TLS inspection, ghost calls can easily escape the traditional defenses.
The traffic mixture with low latency normal video traffic models also helps cybercriminals, which can eliminate the exposure of areas and servers controlled by the attacker
Praetorian explains in the first of his two blog articles that videoconference platforms “are designed to operate even in environments with relatively strict output controls”, so if an attacker can pierce these systems, he could have a higher risk of data exfiltration.
“In addition, this traffic is often encrypted from start to finish using AES or other strong encryption.
Identification information generally expires after two to three days, so that the tunnels are short -lived, but alarming, Praetorian explains that there is not necessarily a vulnerability for Patcher suppliers, adding that they should rather focus on the introduction of additional guarantees to prevent against ghost call attacks.
