Tag Archive for: sidestep

Microsoft Teams bug allow hackers to sidestep security, plant malware

/in


A Microsoft Teams vulnerability allows adversaries to sidestep security controls to plant malware on targeted systems. The Teams attack vector was found by researchers who warn as traditional routes of infection, such as inboxes and websites, become more heavily scrutinized communications platforms such as Teams, Slack and Zoom are becoming a more attractive target.

In a research note posted last week, Jumsec researchers said the issue impacts organizations that use Microsoft Teams in its default configuration. “This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organization,” wrote Max Corbridge researcher with Jumpsec’s Red Team research group.

IDOR Bug

The bug is based on the Teams feature that allows for two businesses running the Teams platform to interact with one another. The collaboration feature does have security measures in place to prevent one business to send the other business a malicious file via Teams. However, Jumpsec found a way to bypass those protections and successfully plant a malicious file on recipients system.

“Microsoft Teams allows any user with a Microsoft account to reach out to ‘external tenancies’… These organizations each have their own Microsoft tenancy, and users from one tenancy are able to send messages to users in another tenancy,” he wrote.

The loophole relies on a common hack called insecure direct object references (IDOR), where the file sender switches the internal and external recipient ID on a POST request, researchers said. A POST is used to send data to a server to create/update a resource.

When a file is hosted on a SharePoint domain an adversary can simply craft a malicious URL and send it to a target via Teams and plant malware on the target’s computer. The “payload is delivered directly to into the target’s inbox” as a file, not a link, researchers said.

The next step in the attack, researchers said, would be to use a social engineering tactic to con the recipient into clicking on the malicious payload.

“[This technique] avoids the now-rightfully-dangerous act of clicking on a link in an email, something that staff have been trained to…

Source…

Robocallers “evolved” to sidestep new call blocking rules, AGs tell FCC

/in
Three robots sitting in front of computers and wearing phone headsets.

Enlarge (credit: Getty Images | vladru)

The Federal Communications Commission should let phone companies get more aggressive in blocking robocalls, 35 state attorneys general told the commission yesterday.

The FCC last year authorized voice service providers to block more types of calls in which the Caller ID has been spoofed or in which the number on the Caller ID is invalid. But the FCC did not go far enough, and robocallers have “evolved” to evade the new rules, the 35 attorneys general wrote in an FCC filing:

One specific method which has evolved recently is a form of illegal spoofing called “neighbor spoofing.” A neighbor-spoofed call will commonly appear on a consumer’s caller ID with the same area code and local exchange as the consumer to increase the likelihood he/she will answer the call. In addition, consumers have recently reported receiving calls where their own phone numbers appeared on their caller ID. A consumer who answered one such call reported the caller attempted to trick her by saying he was with the phone company and required personal information to verify the account, claiming it had been hacked.

The attorneys general said they “encourage the FCC to adopt rules authorizing providers to block these and other kinds of illegally spoofed calls.”

Read 14 remaining paragraphs | Comments

Biz & IT – Ars Technica