Organizations and security teams work to protect themselves from any vulnerability, and often don’t realize that risk is also brought on by configurations in their SaaS apps that have not been hardened. The newly published GIFShell attack method, which occurs through Microsoft Teams, is a perfect example of how threat actors can exploit legitimate features and configurations that haven’t been correctly set. This article takes a look at what the method entails and the steps needed to combat it.
Discovered by Bobby Rauch, the GIFShell attack technique enables bad actors to exploit several Microsoft Teams features to act as a C&C for malware, and exfiltrate data using GIFs without being detected by EDR and other network monitoring tools. This attack method requires a device or user that is already compromised.
Learn how an SSPM can assess, monitor and remediate SaaS misconfigurations and Device-to-SaaS user risk.
The main component of this attack allows an attacker to create a reverse shell that delivers malicious commands via base64 encoded GIFs in Teams, and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure.
As reported by Lawrence Abrams in BleepingComputer, Microsoft agrees that this attack method is a problem, however, it “does not meet the bar for an urgent security fix.” They “may take action in a future release to help mitigate this technique.” Microsoft is acknowledging this research but asserting that no security boundaries have been bypassed.
While Rauch claims that indeed “two additional vulnerabilities discovered in Microsoft Teams, a lack of permission enforcement and attachment spoofing”, Microsoft argues, “For this case… these all are post exploitation and rely on a target already being compromised.” Microsoft is asserting that this technique is using legitimate features from the Teams platform and not something they can mitigate currently.
In accordance with Microsoft’s assertions, indeed this is the challenge many organizations face — there are configurations and features that threat actors can exploit if not hardened. A few changes to your tenant’s configurations can prevent these inbound attacks from unknown Teams tenants.
There are security configurations within Microsoft that, if hardened, can help to prevent this type of attack.
1 — Disable External Access: Microsoft Teams, by default, allows for all external senders to send messages to users within that tenant. Many organization admins likely are not even aware that their organization allows for External Teams collaboration. You can harden these configurations:
2 — Gain Device Inventory Insight: You can ensure your entire organization’s devices are fully compliant and secure by using your XDR / EDR / Vulnerability Management solution, like Crowdstrike or Tenable. Endpoint security tools are your first line of defense against suspicious activity such as accessing the device’s local teams log folder which is used for data exfiltration in GIFShell.
You can even go a step further and integrate an SSPM (SaaS Security Posture Management) solution, like Adaptive Shield, with your endpoint security tools to gain visibility and context to easily see and manage the risks that stem from these types of configurations, your SaaS users, and their associated devices.
There are two methods to combat misconfigurations and harden security settings: manual detection and remediation or an automated SaaS Security Posture Management (SSPM) solution. With the multitudes of configurations, users, devices, and new threats, the manual method is an unsustainable drain on resources, leaving security teams overwhelmed. However, an SSPM solution, such as Adaptive Shield, enables security teams to gain complete control over their SaaS apps and configurations. The right SSPM automates and streamlines the process of monitoring, detection and remediation for SaaS misconfigurations, SaaS-to-SaaS access, SaaS related IAM, and Device-to-SaaS user risk in compliance with both industry and company standards.
In cases such as the GifShell attack method, Adaptive Shield’s misconfiguration management features enables security teams to continuously assess, monitor, identify and alert for when there is a misconfiguration (see figure 1). Then they can quickly remediate through the system or use a ticketing system of choice to send the pertinent details for fast remediation.
Similarly, Adaptive Shield’s Device Inventory feature (seen in figure 2) can monitor devices being used company-wide and flag any Device-to-SaaS risk while correlating that information with the user roles and permissions and the SaaS apps in use. This enables security teams to gain a holistic view of user-device posture to protect and secure high-risk devices that can serve as a critical threat in their SaaS environment.
Learn more about how the Adaptive Shield SSPM can protect your SaaS app ecosystem.
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.