Slăbiciunea în minarea de jetoane în Microsoft Teams face ca un phishing perfect

Attackers who gain initial access to a victim’s network now have another method of expanding their reach: using access tokens from other Microsoft Teams users to impersonate those employees and exploit their trust.

That’s according to security firm Vectra, which stated in an advisory on Sept. 13 that Microsoft Teams stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. According to the firm, an attacker with local or remote system access can steal the credentials for any currently online users and impersonate them, even when they are offline, and impersonate the user through any associated feature, such as Skype, and bypass multifactor authentication (MFA).

Slăbiciunea le oferă atacatorilor capacitatea de a trece mult mai ușor prin rețeaua unei companii, spune Connor Peoples, arhitect de securitate la Vectra, o firmă de securitate cibernetică cu sediul în San Jose, California.

“This enables multiple forms of attacks including data tampering, spear-phishing, identity compromise, and could lead to business interruption with the right social engineering applied to the access,” he says, noting that attackers can “tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.”

Vectra discovered the issue when the company’s researchers examined Microsoft Teams on behalf of a client, looking for ways to delete users who are inactive, an action that Teams does not typically allow. Instead, the researchers found that a file that stored access tokens in cleartext, which gave them the ability to connect to Skype and Outlook through their APIs. Because Microsoft Teams brings together a variety of services — including those applications, SharePoint and others — that the software requires tokens to gain access, Vectra precizat în aviz.

Cu token-uri, un atacator nu poate doar să obțină acces la orice serviciu în calitate de utilizator online, ci și să ocolească MFA, deoarece existența unui token valid înseamnă de obicei că utilizatorul a furnizat un al doilea factor.

În cele din urmă, atacul nu necesită permisiuni speciale sau malware avansat pentru a acorda atacatorilor acces suficient pentru a cauza dificultăți interne unei companii vizate, se arată în avizul.

“With enough compromised machines, attackers can orchestrate communications within an organization,” the company stated in the advisory. “Assuming full control of critical seats — like a company’s head of engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization. How do you practice phish testing for this?”

Microsoft: Nu este necesar niciun patch

Microsoft a recunoscut problemele, dar a spus că faptul că atacatorul trebuie să fi compromis deja un sistem din rețeaua țintă a redus amenințarea reprezentată și a optat să nu corecteze.

“The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network,” a Microsoft spokesperson said in a statement sent to Dark Reading. “We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release.”

În 2019, a fost lansat Open Web Application Security Project (OWASP). o listă de top 10 a problemelor de securitate API. Problema actuală ar putea fi considerată fie o autentificare a utilizatorului întreruptă, fie o configurare greșită a securității, a doua și a șaptelea problemă pe listă.

“I view this vulnerability as another means for lateral movement primarily — essentially another avenue for a Mimikatz-type tool,” says John Bambenek, principal threat hunter at Netenrich, a security operations and analytics service provider.

A key reason for the existence of the security weakness is that Microsoft Teams is based on the Electron application framework, which allows companies to create software based on JavaScript, HTML, and CSS. As the company moves away from that platform, it will be able to eliminate the vulnerability, Vectra’s Peoples says.

“Microsoft is making a strong effort to move toward Progressive Web Apps, which would mitigate many of the concerns currently brought by Electron,” he says. “Rather than rearchitect the Electron app, my assumption is they are devoting more resources into the future state.”

Vectra recommends the companies use the browser-based version of Microsoft Teams, which has enough security controls to prevent exploitation of the issues. Customers who need to use the desktop application should “watch key application files for access by any processes other than the official Teams application,” Vectra stated in the advisory.