MS Teams updater abused with LOL attack

A considerable spike has been observed in the usage of Microsoft Teams collaboration service with millions joining it during the COVID-19 pandemic. Fortunately, before attackers could, researchers have identified a flaw in the Microsoft Teams Updater that rose from the grave.

A flaw was discovered in MS Teams Updater by reverse engineers Reegun Richard and Charles Hamilton in July 2019. By exploiting it, a malicious actor could use the MS Teams Updater to download any binary or payload they wished.

In August 2020, experts found that the flaw is a part of a vulnerability fixed earlier. The changes made by the vendor previously could be bypassed.

An attacker could exploit the flaw by pointing to a remote SMB share. For that, an attacker needs to first move the file inside the targeted network in open shared folders and also require access to the payload from that share to the victim machine.

Another faster way to do it by setting up a Samba server. The attacker could download remote payload, and execute it directly from Microsoft Teams Updater “Update.exe”

Patching history

Previous efforts from Microsoft could not stop attackers from abusing Teams to download and run their payloads.
The previously provided patch for Teams was aimed at restricting its ability to update via a URL, which was the main factor leading to the exploitation. But a workaround was identified to bypass this restriction.
Due to this partially-patched flaw, Microsoft Teams Update.exe binary would act as a LOLbin (Living-off-the-Land binary) to retrieve and execute malware from a remote location.

Precautions

When installing the Microsoft Teams “update.exe”, users should validate the size and hash of the downloaded installer before executing it. All the outgoing SMB connections, particularly those originating from Microsoft Teams updater, should be thoroughly monitored and assessed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s