GIFShell Attack Exploits Teams Logs, GIFs, Adaptive Cards, and the Incoming Webhook Connector
The Proof of Concept (POC) attack techniques to exploit holes in Microsoft Teams described in this BleepingComputer article are not good news (note to self: security flaws are seldom good news). The article describes how attackers can exploit several Teams vulnerabilities (collectively known as “GIFShell”) to deliver malware, run commands, and exfiltrate data using GIFs.
Bobby Rauch, a cybersecurity consultant and pentester, discovered the vulnerabilities exploited by GIFShell. According to the article, Rauch disclosed the problems to Microsoft in May and June of 2022, but nothing has been done yet to close the gaps. As reported by BleepingComputer, Microsoft says that the two techniques disclosed by Ruach “do not meet the bar for an urgent security fix.”
Part of the logic for Microsoft’s view that an urgent fix is unnecessary is that the attack depends on loading a malware executable on a Windows PC. In other words, an attacker must first compromise a computer to plant the malware. Nothing else can happen unless the attacker has access to a compromised target, so Microsoft considers the techniques to be post exploitation.
The executable (“the stager”) monitors the contents of the Teams logs stored on the PC at AppData\Roaming\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb. These logs are the Teams local cache and not the actual Teams message data, which remains stored in Azure Cosmos DB. However, the local cache does contain copies of Teams messages.
The screenshot published in the article makes it seem like the researcher used Teams consumer rather than Teams enterprise because the folder he references uses teams.live.com. I see a different setup on my PCs running Teams enterprise. This isn’t surprising because Teams consumer uses the V2 architecture while Teams enterprise still uses V1. The researcher doesn’t say what version of Teams he tested on, but some of the screenshots show the web client connected to teams.microsoft.com.
The Special GIFs used by GIFShell
Rauch points out that the default Teams configuration allows external access with any other tenant and uses this to send a chat message containing a special GIF to a user in another tenant. The GIF could contain commands to execute on the target machine. The stager monitors the Teams logs and when it finds a GIF, it extracts and runs the commands. The base64 encoded output is used as a filename for a remote GIF embedded in an adaptive card submitted by the stager to the URL for the incoming webhook connector created for a Teams channel in the attacker’s tenant. It’s easy to send data to Teams in this manner, and it’s certainly a convenient way for the attacker to transmit information back to their server.
The presence of the GIF forces Teams to connect to the URL (using the URL pointing to the attacker’s server) to retrieve the GIF, which the attacker can intercept to see the content sent from the target machine. Rauch points out that Microsoft’s skype.com servers handle this traffic, so it’s considered legitimate.
Clever Attack But
As mentioned above, the GIFShell attack depends on being able to send a message to an external user. One practical and quick way to stop similar attacks is to update the external settings for Teams to block access from any organization other than those on an allow list (Figure 1).
The downside of this arrangement is that you won’t be able to use functionality like federated chat or shared channels with external users from a domain that’s not on the allowed list. However, that’s a small price to pay for better security and control over external communications. Remember that if you’re going to set up shared channels to collaborate with another organization, you might want to create an Azure AD cross-tenant access policy, so part of that process can be to add the target domain to the allow list.
Update: One way to populate the domain allow list for external access is to base it on the domains of guest accounts in a tenant. All explained in this article.
Relax but Stay Vigilant
Given the size of the Teams installed base (the last reported number was 270 million monthly active users), it’s no mystery why attackers might consider Teams a nice target. Microsoft appears to be pretty sure that the reported technique penetrated no security boundary. They know more about security than I do, so I accept what they say. However, it’s still not good when security researchers find weaknesses. The vulnerabilities might not be exploitable today, but that’s no guarantee that they couldn’t be a path to penetrate a tenant in the future.
The Microsoft 365 Kill Chain and Attack Path Management
An effective cybersecurity strategy requires a clear and comprehensive understanding of how attacks unfold. Read this whitepaper to get the expert insight you need to defend your organization!