Vulnerability allowed hijacking of Microsoft Teams account with a GIF

by Deeba Ahmed on April 27th, 2020

Zoom video conferencing tool has been facing security and vulnerability issues since the beginning of the Coronavirus pandemic but this time Microsoft’s very own Microsoft Teams service was exposed to account take over vulnerability.

Microsoft Teams is a workplace collaboration and communication platform that allows organizations to communicate via video conferencing, store files, initiate chat, and integrate applications simultaneously. It has emerged as a very useful and productive medium of communication in recent times, specifically nowadays when the world is held hostage to the COVID-19 pandemic.

However, this very aspect is in itself a great threat to organizational data safety as none of the applications currently available are free from security loopholes, and the same is the case with Microsoft Teams. 

Reportedly, CyberArk’s researchers identified a worm-like vulnerability in Microsoft Teams, which hackers could exploit to hijack an entire roaster of MS Teams accounts at an organization by sending malicious URLs or GIF images to Teams users. 

The vulnerability is related to the way MS Teams processes authentication access tokens and passes them to resources containing images. If an attacker manages to create a GIF file or URL, Teams will send the authentication token to the attacker’s server while processing it. 

To successfully pull off the attack via sending links, the victim should click on the link; but in the case of GIF image, the attack can be successful if the user views the image in Teams chat. Once the image is viewed or URL clicked, the attacker receives the token. 

Using this token, an attacker can hijack the victim’s Teams account by exploiting its API interfaces, and can access victim’s data on Teams, send messages, create and delete groups on the victim’s behalf, or modify a group’s permissions. 

The automated nature of this attack makes organizations most vulnerable to exploitation as the attacker can send malicious GIF files to other employees using a hijacked account, and may access sensitive data, login credentials, business strategies/plans, and meeting schedules. 

Attack’s workflow:

CyberArk researchers’ assessed that an attacker can carry out a variety of attacks after receiving the token. Such as:

It is possible to send false information to employees to cause reputational or financial damage, direct data leakage, install malware, lure an employee to reset the password by impersonating as a team member, or contact the CEO after hijacking Teams account of another executive to obtain confidential financial data.

However, they believe that sending out infected images or links is quite easy but the other steps are rather complex, and novice or amateur hackers cannot easily pull it off. 

Watch how it’s done:

Microsoft has already addressed the flaw with the help of researchers under CVD (Coordinated Vulnerability Disclosure). The company claims that the vulnerability wasn’t yet exploited by hackers, and now that it has been fixed, there is no threat to the users of Microsoft Teams. 

Federal Agency that maintains secure communication for Trump got hacked

Por Deeba Ahmed em 22/02/2020 no site HackHead

The Daily Wire

The United States’ federal defense agency responsible for ensuring safe communications with many high profile personalities including President Donald Trump, national leaders, and military operations, admitted experiencing a security breach.

The data breach occurred at Defense Information Systems Agency (DISA) in 2019, however, it is yet unclear whether or not the entire data belonged to DISA.

The unknown attackers managed to hack Personally Identifiable Information (PII) including Social Security Numbers of approx. 200,000 individuals, as per the revelation from the Department of Defense’ spokesperson Chuck Prichard. 

In a letter sent by DISA to the affected individuals and mainstream news agencies on February 11, 2020, it was explained that the cyberattack took place between May and July 2019, and that the system hosted by DISA was affected by the security breach.

It is clearly written in the letter that there is no indication of the misuse of PII. 

Source: Reuters

It is worth noting that DISA has a policy under which the agency is liable to inform individuals if their personal data has been compromised. Furthermore, the agency has offered credit card monitoring of the affected individuals free of charge.

Prichard stated that the department has chosen not to reveal the actions taken to mitigate the vulnerabilities or risks because of operational security reasons.

DISA is responsible for providing IT support and direct telecom facility to President Trump, Vice President Mike Pence, the US Secret Service, staff of the president, the chairman of the Joint Chiefs of Staff and senior officers from the military. 

Interestingly, in a report published in June by the Senate Homeland Security and Governmental Affairs’ Subcommittee, it was noted that as many as seven out of eight federal agencies offered insufficient protection to PII. Though DISA’s name wasn’t included in the agencies reviewed by the subcommittee, the hack does reveal shortcomings in its data protection methods.

Private details of 10.7 million MGM Hotel guests sold on Dark Web

By Deeba Ahmed on February 21st, 2020 site HackHead

This information also includes details of Justin Bieber and Twitter’s Jack Dorsey.

In 2017 or even before, the personal data of guests that stayed at MGM hotel was leaked and now it is, reportedly, posted for sale on the ideal marketplace for selling stolen data, the Dark Web.

Approximately over 10.7 million (10,683,188 to be precise) records are up for sale and this largely seems to be a repackaged bundle, revealed the head of research at KELA cyber-intelligence firm, Irina Nesterovsky. 

The data was discovered by an Israeli security researcher using the name Under the Breach. The researcher claims to have access to a number of threat actors who provide him “pre-breach information” relating to most of the publicly traded firms. 

The first posting on the Dark Web was published on 10 July, 2019, and originally it was posted by NSFW, a close associate of the Canva, Zynga, MyHeritage, ShareThis, and GfyCat data breaches fame Gnosticplayers cybercriminal, along with his partners, said Nesterovsky.

She further added that the recently published data has been circulating on various other platforms from the past six months. The data includes names, dates of birth, email IDs, addresses and phone numbers of the former MGM guests, and it doesn’t include passwords.

When contacted, the people affected by the data breach, some of the numbers turned out to be authentic and active as the same person answered, while some were disconnected. The company stated that despite that the data isn’t as recent as we have observed in a majority of data recently put up for sale at the Dark Web, however, in the stolen data trading world anything is acceptable. 

As per Nesterovsky, the affected customers of MGM might be vulnerable to fraud attempts now as the information is now selling on so many different platforms.

On the other hand, Under the Breach claims that he has identified names of some famous personalities in the hacked database, which include the likes of Justin Bieber, Jack Dorsey, and DHS officials.

MGM spokesperson has confirmed the data loss and stated that it is quite old and payment information wasn’t compromised in the security breach. The hotel authorities claim that they did notify their customers in 2019. This was confirmed by ZDNet as it came across posts on Vegas Message Board dating back to August 2019 where people posted about being alerted about the data breach in July.

Here is a screenshot of the MGM’s listen on dark web marketplace:

Via ZDNet – Source KELA.

According to Emily Wilson, VP of Research at digital risk protection provider Terbium Labs, 

“The hospitality industry sits on a hotbed of valuable data that meets at a critical intersection of personal details, financial information, and physical safety – travel data, companions, and patterns of behavior. While those are dangerous enough if exposed for any individual, it becomes particularly concerning when high profile figures – politicians, entertainers, executives, or government and law enforcement officials – come into play.”

“Having well-known individuals in the data set not only increases the risk for those high profile figures, but also increases the risk for everyone else in the data set. Knowing that an executive or entertainer is in the mix encourages fraudsters to flock toward it and try to exploit it, and everyday consumers face the fallout from that attention,” said Emily.

“These sorts of breaches fuel cybercrime and digital risk that organizations face every day. This exposed data is valuable inventory for criminals, who know they need to act quickly while the data is still fresh. It’s the perfect example of third-party exposure – the individuals, their banks, their employers, any organization they’re affiliated with or interact with, all face immediately increased risk as a result of this breach,” added Emily.

“Emily further states that these breaches also increase the pool of data available to powerful state actor groups that amass and consolidate whatever information they can. Organizations will feel the impact of everyday criminals having access to the data in the short term, and face a harrowing landscape of consequences from well-resourced groups in the long term.”

She warned that “these breaches also increase the pool of data available to powerful state actor groups that amass and consolidate whatever information they can. Organizations will feel the impact of everyday criminals having access to the data in the short term, and face a harrowing landscape of consequences from well-resourced groups in the long term.”

Latest LokiBot malware variant distributed as Epic Games installer

Por Deeba Ahmed em 18/02/2020 no site Hack Head

The new variant of the notorious LokiBot malware is more sophisticated and effective than its previous versions.

Discovered originally in 2015; LokiBot malware is extremely popular among cybercriminals because of its multitasking abilities. The malware is capable of converting itself into full flagged ransomware and harvests almost every type of data from login IDs and passwords to banking data and crypto wallets contents, which it does by using keyloggers that monitor user activities on the device and the browser.

According to Trend Micro researchers, the newly discovered variant of LokiBot malware is being distributed as a popular game launcher for Epic Games, the same developer behind the massively popular online game Fortnite, to trick users so that they execute it on their devices.
Detected as Trojan.Win32.LOKI; this campaign has a rather peculiar installation routine in which a C# code file is dropped to infect the device. The user believes that this file is Epic Games store installer, and executes it without suspecting any foul play. 

As per Trend Micro’s blog post, this installer is created by using the authoring tool called Nullsoft Scriptable Install System or NSIS installer. The NSIS Windows installer uses the original logo of Epic Games for deceiving users, and as soon as the file is executed two more files are dropped.

One of them is a C# source code file while the other is a .NET executable found in the infected device’s “%AppData% directory.” The .NET executable contains so many junk codes that its reverse-engineering becomes extremely difficult. The purpose of this file is to read and compile the C# code file titled MAPZNNsaEaUXrxeKm.


After compilation, the binary activates the EventLevel function from the C# code file via the InvokeMember function, which decrypts and enables the encrypted assembly code already embedded in the file. Afterward, the LokiBot payload is executed. Using the C# source code helps in preventing detection from the device’s defense mechanisms.

Researchers believe that the malware is distributed via phishing emails being sent out in huge numbers to claim as many targets as possible. Nonetheless, the discovery reinstates the fact that LokiBot malware continues to remain the preferred Trojan of scammers and they might continue to tweak it further in the future.