Post

Ghost Calls: How Cybercriminals Exploit Zoom and Microsoft Teams for Covert C2 Operations

Discover how the 'Ghost Calls' tactic abuses conferencing apps like Zoom and Microsoft Teams to evade detection and conduct covert command-and-control operations.

Posted
By Vitus White
3 min read
Ghost Calls: How Cybercriminals Exploit Zoom and Microsoft Teams for Covert C2 Operations

TL;DR

  • The ‘Ghost Calls’ technique exploits TURN servers in conferencing apps like Zoom and Microsoft Teams to evade detection and conduct covert command-and-control (C2) operations.
  • This method allows attackers to tunnel malicious traffic through trusted infrastructure, making it difficult for security systems to detect and block the activity.

Introduction

Cybercriminals are constantly evolving their tactics to evade detection and maintain persistence within compromised networks. A recent and sophisticated post-exploitation technique, dubbed ‘Ghost Calls,’ has emerged, leveraging the infrastructure of popular conferencing applications such as Zoom and Microsoft Teams. This method exploits TURN (Traversal Using Relays around NAT) servers to tunnel malicious traffic through trusted channels, making it challenging for security systems to identify and mitigate the threat.

Understanding the ‘Ghost Calls’ Technique

Exploitation of TURN Servers

TURN servers are essential components in conferencing applications, facilitating the relay of traffic around NAT (Network Address Translation) restrictions. By abusing these servers, attackers can effectively mask their C2 communications as legitimate conferencing traffic. This exploitation allows cybercriminals to bypass traditional security measures that might otherwise flag or block suspicious activity.

The Process of ‘Ghost Calls’

  1. Initial Compromise: The attacker first gains access to a target system through traditional means such as phishing, exploiting vulnerabilities, or using stolen credentials.
  2. Establishing C2 Communication: Once inside the network, the attacker deploys malware that initiates communication with the C2 server. This communication is routed through the TURN servers used by conferencing apps.
  3. Tunneling Traffic: The malicious traffic is encapsulated within what appears to be legitimate conferencing data, making it difficult for intrusion detection systems (IDS) and other security measures to identify the malicious activity.
  4. Maintaining Persistence: By leveraging trusted infrastructure, the attacker can maintain a persistent presence within the network, continuously exfiltrating data or executing further malicious activities without detection.

Implications of ‘Ghost Calls’

Challenges for Security Systems

The ‘Ghost Calls’ technique presents significant challenges for traditional security systems. Since the malicious traffic is tunneled through trusted infrastructure, it can evade detection by firewalls, IDS, and other security measures that rely on identifying suspicious patterns or known malicious IPs.

Increased Risk for Organizations

Organizations that heavily rely on conferencing applications for communication and collaboration are particularly at risk. The abuse of these trusted platforms can lead to prolonged undetected presence of attackers within the network, resulting in potential data breaches, intellectual property theft, and other severe consequences.

Mitigation Strategies

Enhanced Monitoring and Detection

To combat the ‘Ghost Calls’ technique, organizations should implement enhanced monitoring and detection strategies. This includes:

  • Behavioral Analysis: Utilizing advanced behavioral analysis tools to detect anomalies in traffic patterns, even when they appear to be legitimate.
  • Network Segmentation: Segmenting the network to limit the lateral movement of attackers, reducing the potential impact of a breach.
  • Regular Audits: Conducting regular security audits and vulnerability assessments to identify and mitigate potential entry points for attackers.

Employee Training and Awareness

Educating employees about the risks and signs of advanced cyber threats is crucial. Regular training sessions and awareness programs can help staff recognize and report suspicious activities, enhancing the overall security posture of the organization.

Conclusion

The ‘Ghost Calls’ technique represents a sophisticated and evolving threat in the cybersecurity landscape. By exploiting trusted infrastructure such as TURN servers in conferencing applications, attackers can conduct covert C2 operations with a reduced risk of detection. Organizations must stay vigilant, adopting advanced detection methods and comprehensive security strategies to mitigate the risks posed by such tactics. As cybercriminals continue to innovate, the cybersecurity community must remain proactive in developing and implementing robust defense mechanisms.

Additional Resources

For further insights and detailed analysis, refer to the original article on BleepingComputer: New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations.

Stay informed and proactive in your cybersecurity measures to protect against emerging threats like ‘Ghost Calls.’

Cybersecurity, Cyber Attacks
cybersecurity threat-intelligence c2 operations
This post is licensed under CC BY 4.0 by the author.