#SecTorCa: How One Malicious Message Could Exploit an Enterprise

  • Next the world changeover to distant doing the job that began in March of this 12 months thanks to the COVID-19 pandemic, Omer Tsarfati, cybersecurity researcher at CyberArk Labs, observed himself utilizing Microsoft Groups a lot more than ever prior to.

    Getting a security researcher, Tsarfati desired to make positive the computer software he was employing was truly secure – which it was not. In simple fact, he and his groups found a critical flaw that could have possibly enabled an attacker to intercept messages across a enterprise and quite possibly even start broader attacks. The flaw was patched by Microsoft in April with number of concrete information, even so, Tsarfati spelled out the total incident with new details in a session at the SecTor security meeting.

    Tsarfati described that Microsoft Teams is a deeply integrated technology that connects with both equally Microsoft and non-Microsoft systems. The integration with unique technologies consists of the use of entry credentials recognized as OAuth tokens that authenticate the consumer with the supplied technology.

    What Tsarfati and his group were in a position to find out was that Microsoft was using an authentication configuration approach that created a supply of vulnerability, this sort of that one malicious information could permit an attacker to attain obtain to various programs and user information and facts.

    How the Exploit Is effective

    Tsarfati spelled out that a single way to cause the exploit would be to send out a target an email with a malicious hyperlink, which would then fall a cookie on the user’s system. That cookie could then browse improperly configured info in Microsoft Groups to attain obtain to linked units, including Outlook and Sharepoint.

    He mentioned that organizations educate staff members not to click on back links, as phishing is a known risk, so as an alternative his staff came up with a non-invasive solution to get the malicious cookie onto a victim’s procedure. That’s part of what was disclosed in Apri a malicious GIF picture that could be employed to exploit Microsoft Teams.

    Tsarfati stated that simply by browsing a web page in a web browser that has a malicious GIF image embedded in it, an attacker could move the undesirable cookies to an endpoint and achieve unauthorized accessibility to other products and services. Including even further insult to harm, he pointed out that an attacker could also then even more weaponize the vulnerability by spreading it to other users and throughout an organization’s network.

    Whilst Microsoft has patched the issue, Tsarfati was questioned if other collaboration equipment beyond Groups could possibly have very similar dangers. He mentioned that it is extremely likely that is feasible, if researchers get the time to glimpse.

    While Microsoft has patched the issue, Tsarfati advised that consumers continue to be vigilant. When sharing any private information, he recommended not sharing in the open in an email or in a doc. According to Tsarfati, any delicate and confidential data should always be encrypted to aid avert unauthorized accessibility and limit risk.