Fast Facts
- Hackers are increasingly exploiting trusted cloud services, such as Microsoft Teams, by using its infrastructure to disguise malicious command-and-control (C2) traffic, making detection more difficult.
- A new Go-based Remote Access Trojan (Backdoor.TURN) leverages Microsoft Teams’ TURN relay servers for stealthy C2 communication by authenticating via a Microsoft token and routing traffic through legitimate domains.
- The campaign, linked to the DragonForce ransomware group, involved sophisticated techniques including DLL sideloading, kernel-level driver exploitation, and modifying system configurations for long-term persistence.
- Symantec emphasizes that blending malicious activity with legitimate cloud services significantly hampers detection, underscoring the urgent need for enhanced behavioral monitoring and stricter security controls over communication platforms and vulnerable drivers.
The Issue
Recently, a cyber campaign was uncovered in which hackers exploited Microsoft Teams infrastructure to conceal malicious activities. Symantec Threat Hunter Team reported that the attackers used a new Go-based remote access Trojan called Backdoor.TURN, which cleverly routes command-and-control (C2) traffic through Microsoft’s own servers, making it appear as normal enterprise communication. This sophisticated method, linked to a larger DragonForce ransomware attack targeting a major U.S. services company, allowed the hackers to stay undetected for nearly two months. The malware first gained access, possibly through vulnerabilities in SQL or MSSQL servers, then used trusted processes and weaponized drivers to maintain persistence and evade security tools. Notably, the campaign employed advanced techniques, including hijacking cloud relays and exploiting drivers like Huawei’s HWAuidoOs2Ec.sys, to hide malicious traffic and isolate defenders. The report emphasizes that this marks the first known instance of malicious actors weaponizing Microsoft Teams’ relay infrastructure in such a manner, illustrating a disturbing evolution in cyberattack tactics.
The attack primarily affected the targeted organization, with the threat actors deploying various stealth tactics to sustain access, conduct reconnaissance, and eventually deploy ransomware. Symantec’s investigation reveals that the hackers exploited trusted enterprise platforms and vulnerable drivers, blending their malicious activity seamlessly into legitimate network traffic, thus hindering detection. This campaign’s techniques, such as using legitimate processes for executing malware and leveraging cloud relay servers, demonstrate how modern cybercriminals are increasingly adopting sophisticated, covert methods. The report, which is authored by Symantec’s Threat Hunter Team, highlights the growing complexity of cyber threats, underscoring the urgent need for enhanced behavioral detection strategies and stricter security controls over enterprise communication platforms and vulnerable drivers to better defend against such clandestine operations.
Security Implications
The issue ‘Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic’ can significantly threaten any business, especially those relying on cloud communication tools. When cybercriminals exploit this vulnerability, they use Microsoft Teams Relay as a covert channel, making malicious ransomware traffic go unnoticed. This means that your business’s sensitive data and operations could be attacked without detection, leading to costly downtime and data loss. Furthermore, such breaches damage your company’s reputation, breach customer trust, and result in financial losses through ransom payments or recovery efforts. Ultimately, as hackers continually develop new tactics, your business must stay vigilant and implement robust security measures to prevent falling victim to these sophisticated threats.
Fix & Mitigation
Timely remediation in cybersecurity is crucial to prevent attackers from exploiting vulnerabilities, such as hackers weaponizing Microsoft Teams relay to conceal ransomware traffic. Prompt action can limit damage, reduce recovery costs, and safeguard critical assets.
Detection and Monitoring
- Implement continuous network traffic analysis for abnormal patterns
- Enable logging and real-time alerts on Microsoft Teams activity
Vulnerability Management
- Regularly update and patch Microsoft Teams and related infrastructure
- Conduct vulnerability scans to identify potential entry points
Access Controls
- Enforce strict access policies, including multi-factor authentication
- Limit permissions for Teams and relay configurations to essential personnel
Configuration Security
- Review and configure Teams settings to disable unnecessary relay features
- Apply robust network segmentation to isolate important systems
Incident Response
- Develop and routinely test an incident response plan specific to Microsoft Teams abuse
- Isolate affected systems swiftly to prevent ransomware spread
User Training
- Educate staff on phishing and social engineering tactics used to gain initial access
- Promote awareness of suspicious activity related to messaging platforms
Collaboration and Threat Intelligence
- Share threat intelligence with industry partners and authorities
- Stay updated on the latest tactics and mitigation strategies related to Teams relay abuse
Continue Your Cyber Journey
Discover cutting-edge developments in Emerging Tech and industry Insights.
Understand foundational security frameworks via NIST CSF on Wikipedia.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
