Microsoft Teams and Zoom can be hijacked to give hackers the keys to your kingdom

The attack works by hijacking the temporary TURN credentials that conferencing calls receive when they join a meeting, and then establishing a tunnel between the compromised host and the attacker's machine.

Because all the traffic is routed through trusted Zoom/Teams IPs and domains, which are typically whitelisted inside enterprises, these types of hijacking attacks can fly under the radar.

Teams and Zoom susceptible to attacks

Praetorian explained that because the attack leverages infrastructure already allowed through corporate firewall,s proxies and TLS inspection, Ghost Calls can easily evade traditional defenses.

Blending traffic with normal, low-latency video meeting traffic patterns also helps the cybercriminals, who can eliminate the exposure of attacker-controlled domains and servers

Praetorian explains in the first of its two blog posts that video conferencing platforms "are designed to function even in environments with relatively strict egress controls," so if an attacker can crack into these systems, they could have a higher chance of data exfiltration.

"Additionally, this traffic is often end-to-end encrypted using AES or other strong encryption. This means the traffic is naturally heavily obfuscated and impossible to analyze in depth which makes it a perfect place to hide as an attacker," the researchers added.

TURN credentials typically expire after two to three days, so tunnels are short-lived, but alarmingly, Praetorian explains that there isn't necessarily a vulnerability for vendors to patch, adding that they must instead focus on introducing further safeguards to prevent against Ghost Call attacks.

You might also like

• We've listed the best firewalls
• Check out the best VPNs and best business VPNs
• Good news - humans are getting better at spotting malware...but we're still pretty bad at it