In relation to the news story that Microsoft Teams has fixed a funny Gifs cyber-attack flaw, please find below comments from experts.
How can organisations best deal with sort of threat?
Mass remote working presents a whole new world of security challenges. So, it should come as no surprise that the number of potentially compromised organizations has more than doubled since January and now teams have been hacked.
We have seen breaches, hacks, and exploits related to a lot of popular remote work platforms in the last few weeks as well as new attacks on home routers. These vulnerabilities have always been there, but now that commerce is shifting to a remote model we are seeing criminals shifting their focus too.
A big part of the problem is that the new remote workforce we are seeing is often poorly informed about the new security requirements needed, as they haven’t had time for training. For example, we have seen workers rushing to use the videoconferencing tool Zoom, but they are doing so without setting passwords. In a typical office network, you wouldn’t need to use an additional password for teleconferencing; but this is a simple precaution that more seasoned traveling businesspeople would know.
The current, challenging situation in which we find ourselves, should give organizations a new perspective on their security posture. Particularly, rediscovering the strange network perimeter situation that is so common today. With internal access requirements competing to arbitrate access across multiple cloud providers, the heterogeneous business environment of today presents huge challenges when securing a remote organization.
What are the defences? How can attacks be mitigated?
The key message here though should be to aim for safe, steady progress on security matters rather than knee-jerk reactions to short term problems. Remote working policies should be reviewed, and cross checked for any security or privacy compliance risks as the user numbers scale up. Monitoring and detection will need to be improved accordingly. There will be pressure on IT teams to get more users, better, faster and more secure access into their systems remotely, but this should not come at the expense of security and cyber resilience as a whole.
Focusing on staff training and on the core principles of cyber hygiene, including comprehensive patch management and backups for remote devices is critical, along with fully cloud-managed endpoint security that does not rely on a VPN, and which does not rely on signature updates. Additionally, policy enforcement via DNS can add another crucial layer of defence to protect remote workers, should they fall victim to social engineering.
We have all undergone a seismic shift in remote working, and no matter how much we may have previously embraced this as a normal way of doing business, companies will now be uncovering flaws in their processes, niggles impacting productivity, and, unfortunately, user-led workarounds. But aside from practical considerations, in my view, there is one key learning, and one suggested action which security and business leaders need to be aware of over the next few weeks.
Leaders need to understand people’s instinctive behavior, which is to take the path of least resistance. Much like Shadow IT, but now on a far greater scale, when employees are now trying to communicate with their teams they are not necessarily going to be thinking about security first. They will simply consider what’s right in front of them now, and the quickest way to get the job done. This means that “consumer” communication tools such as Facebook Messenger, WhatsApp or FaceTime, which may previously have been used informally among teams as a chat channel, could end up being used more regularly and for business purposes. Another example: your organization may have a sanctioned file-sharing tool or site, with security built-in. However, if you discover that Skype or Zoom also has a file-sharing feature, and you can share that file right now with your colleague during the meeting… unsanctioned file sharing is going to take place.
Leading on from this is the action which security and business leaders should take. They must decide which platforms are sanctioned for which types of communication and data sharing, and communicate these decisions to the workforce. They should assess which security and privacy settings are critical, and will minimise risks to the business. These settings should be adjusted sooner rather than later as it is very hard for people to unlearn bad habits. If business leaders can stop those habits being formed in the first place, so much the better.
With so many of us working remotely and connecting with family, colleagues and friends online, platforms like Microsoft Teams have seen a dramatic increase in use as countries around the world are kept in lockdown. Today’s news that a security flaw in Teams has been allowing attackers to access individual’s personal data through the use of corrupt GIFs is particularly worrying, given that workforces will be using memes and images to keep morale up and continue office banter during this difficult time.
As opportunistic cybercriminals continue to use COVID-19 lockdowns to steal personal data, protecting devices, with a reputable internet security product and ensuring the latest updates on operating systems and apps are applied as soon as they become available is vital.
For the general public, this specific vulnerability has been mitigated by Microsoft, but the research shows just how careful we need to be when working with any content. In this case, had no patch been applied, simply viewing a malicious image would be the culprit. This then becomes another example where opening unexpected content could have serious repercussions and why in this time of remote work, everyone should review their IT security training.
For developers, this vulnerability disclosure is far more interesting. It highlights the reality that there never is a single weakness behind any attack and that complex systems can provide opportunities for attack. In this case, a successful attack would’ve required impersonating a Microsoft Teams sub-domain using a technique known as a `subdomain takeover`. The next phase of the attack would be to exploit the behaviour of the Microsoft teams API authentication system, followed by hosting a specially crafted GIF image on the compromised sub-domain. Triggering the attack then requires the attacker to convince their victim to open Teams and view their specially crafted GIF at which point the attacker then has their victim’s access tokens and can impersonate them. This impersonation would include any access the victim would have, including reading past messages or harvesting other accounts by sending their malicious GIF to other users. Protecting against this type of attack requires API developers to think like attackers and ensure they fully understand the scope of any access their API tokens provide while also building a comprehensive treat model covering misuse of their APIs.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics