GIFShell: Microsoft Teams is one of the most important tools used worldwide by different companies or organizations to communicate between individuals and teams working together for a specific reason. And for many years, considering the large use of this tool, many reports show that Teams has been at the center of attention of different hackers. Suppose one hacker could gain access to one of the main entry points of communication between coworkers in a company (or other). In that case, they could manage to get a hold of a lot of sensitive information and even access the whole domain system of the victim’s entity. Unfortunately, it has been reported that a major bug is found in Microsoft Teams that could lead to data stealing by attackers through the use of a reverse shell with the help of Gifs shared on chats inside the platform.
This new attack method, named GIFShell, allows threat actors to abuse the Microsoft Teams vulnerability by inserting a reverse shell into the system through GIFs, which can go undetected. This form of attack falls under the category of phishing attacks, as it manipulates and deceives the user by sharing malicious code through GIFs and risks all sensitive data being stolen, exfiltrated, and/or manipulated.
The new attack chain was discovered by cybersecurity consultant and pentester Bobby Rauch, who found numerous vulnerabilities, or flaws, in Microsoft Teams that can be chained together for command execution, data exfiltration, security control bypasses, and phishing attacks. The main component of this attack is called ‘GIFShell,’ which allows an attacker to create a reverse shell that sends out malicious commands via base64 encoded GIFs in Teams and exfiltrates the output through GIFs retrieved by Microsoft’s own infrastructure. To create this reverse shell, the attacker must first trick a user into installing a malicious payload that executes commands and uploads command output via a GIF URL to a Microsoft Teams webhook. Since all Microsoft Teams messages we receive are saved in logs and can be accessed by all Windows users, the malware can easily access all of them and retrieve the information.
The tricky part is that this type of attack can bypass the security protocols of Microsoft and go undetected since the data exfiltration is done through Microsoft’s servers, and the traffic will be harder to detect. Also, it is to be noted that Teams does not scan byte data of GIFs shared between two entry points, which allows a malicious stager to be infiltrated as a form of GIF and then exploit all information and exfiltrate sensitive data of the victim’s device.
This new form of attack has already impacted several individuals and organizations, using Teams as their primary method of communication. This attack was brought to Microsoft’s attention, but this issue remains unpatched. Microsoft’s official response to BleepingComputer stated that this issue did not meet the urgent need to be fixed.
“We’ve assessed the techniques reported by this researcher and have determined that the two mentioned do not meet the bar for an urgent security fix. We’re constantly looking at new ways to resist phishing better to help ensure customer security and may take action in a future release to help mitigate this technique.”
“This type of phishing is important to be aware of, and as always, we recommend that users practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers.
However, Microsoft has left the door open to resolving these issues, telling BleepingComputer that they may be serviced in future versions. Until then, people need to stay alert for GIFs they might receive.