- Experts say that Microsoft and Zoom teams are perfect to hide ghost calls
- Attackers can obtain temporary rotation credentials and create a tunnel
- Suppliers must implement safeguards, because there are no vulnerabilities in view
Praetorian researchers have thrown light on ghost calls, a technique of evasion of command and control after the exploitation that sends attackers trafficking through a legitimate route using relays around the NAT (Turn) servers used by the equipment such as Zoom and Microsoft, to evade the detection.
The attack works by kidnapping temporary turn credentials received by conference calls when they join a meeting, and then establishing a tunnel between the committed host and the attacker’s machine.
Because all traffic is encreated through IPS and zoom domains/trusted equipment, which are generally related to the white list within companies, this type of kidnapping attacks can fly under the radar.
Equipment and zoom susceptible to attacks
Praetorian explained that because the attack takes advantage of the infrastructure already allowed through the Corporate Firewall, the proxies and the Inspection of TLS, the ghost calls can easily evade traditional defenses.
Combining traffic with normal and low latency traffic patterns also helps cybercriminals, which can eliminate the exposure of domains and servers controlled by attackers
Praetorian explains in the first of his two blog posts that videoconference platforms “are designed to function even in environments with relatively strict output controls”, so if an attacker can decipher these systems, he could have a greater probability of data exfiltration.
“In addition, this traffic is often encrypted from end to end using AES or other strong encryption. This means that traffic is naturally very obfuscated and impossible to analyze in depth, which makes it a perfect place to hide as an attacker,” the researchers added.
Giro credentials generally expire after two or three days, so the tunnels are of short duration, but alarmingly, Praetorian explains that there is not necessarily a vulnerability for suppliers to patch, and add that they must focus on introducing more safeguards to avoid attacks by ghost calls.
