This attack named GIFShell would allow hackers to use Microsoft Teams to steal user data. They exploit no less than seven vulnerabilities in the collaborative communication application to not only steal personal data, but also to execute commands. Nothing out of the ordinary so far.
It is the “bait” used that would make this campaign dangerous, since the malicious code hides in GIFs, these images that people exchange on the networks during the endless visios on Microsoft Teams, for example. The BleepingComputer site explains that the researchers managed to infiltrate Microsoft’s software infrastructure to operate their campaign. This makes it all the more difficult to detect illicit activity, since the exfiltration of data seems completely normal to Microsoft’s server monitoring systems.
How GIFShell exploits GIFs to steal your data in Teams
Hackers figured out that Microsoft doesn’t fully scan the Base64-encoded portion of GIFs. This is where the malicious code resides, cohabiting with the real GIF. Since messages and GIFs are stored in easily accessible files, all hackers need to do is run the program embedded in image file to redirect the victim’s shell input and output to a remote computer. Impersonate legitimate users in the eyes of Microsoft’s server security checks, modify files sent and links generated by Microsoft so that users download an executable to a remote server: the steps to be taken are many, and not frankly within reach of the first hacker.
This may be the reason why, three months after the discovery of the various security vulnerabilities exploited by GIFShell, Microsoft has still not acted to eliminate them. In their response to the researchers, without denying the problem, they above all appeal to the individual responsibility of Microsoft Teams users: “we recommend that users adopt good online habits, in particular to exercise caution when click on links to web pages, open unknown files or accept file transfers”.
Original Source link