- Experts say that Microsoft -hold and Zoom are perfect for hiding ghost calls
- Attackers can get temporary reversal and create a tunnel
- Sellers need to implement protective measures because there are no vulnerabilities in sight
Researchers from Praetorian have shed the light at Ghost Calls, a detention command-and-control-evaluation technique that sends striker traffic through legitimate review using relays around night (turn) servers used by zoom and Microsoft teams to avoid detection.
The attack works by hijacking the temporary credentials that conferences receive when attending a meeting, and then establishing a tunnel between the compromised host and the striker’s machine.
Since all traffic is directed through reliable zoom/teams IPS and domains, which are typically whitened within companies, these types of hijacking attacks can fly under the radar.
Hold and Zoom receptive for attacks
Praetorian explained that because the attack is utilizing the infrastructure already allowed through Corporate Firewall, S proxies and TLS Inspection, ghost calls can easily avoid traditional defense.
Mixing of traffic with normal, low latency video meeting Traffic patterns also help cyber criminals who can eliminate the exposure of attackers-controlled domains and servers
Praetorian explains in the first of his two blog posts that video conferencing platforms “are designed to work, even in environments with relatively strict exit controls,” so if an attacker can crack into these systems, they could have a greater chance of data relocation.
“In addition, this traffic is often end-to-end encrypted using AES or other strong encryption. This means that the traffic is naturally highly veiled and impossible to analyze in depth, making it a perfect place to hide as an attacker,” the researchers added.
Turn the credentials typically expires after two to three days, so tunnels are short -lived, but alarmingly explains Praetorian that there is not necessarily a vulnerability for suppliers to patch, adding that they should instead focus on introducing additional protective measures to prevent ghost call attacks.
