Posted Date: 9/16/2022 Published Date: Source(s): Vectra.AI Sector: Security Vulnerability Reported by: Vectra Protect Team Date(s) Issued: Subject: An attack path was discovered that would enable malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in OVERVIEW: Malicious actors can exploit a vulnerability in the current Microsoft Teams application that could allow access to authentication tokens and accounts with multi-factor authentication enabled SYSTEMS AFFECTED: • Windows Operating Systems (all versions) • Linux Operating Systems (all versions) • Mac Operating Systems (all versions)
RISK: Anyone who is currently using the Microsoft Teams desktop application THREAT SUMMARY: In August 2022, the Vectra Protect team discovered an attack path that would enable malicious actors access to authentication tokens and accounts even with multi-factor authentication enabled. Microsoft teams is an Electron app, the issue stems from the fact that Electron does not support encryption or protected file locations. The Vectra Protect Team discovered that the Microsoft Teams application stores these access tokens in clear text in an “ldb” file, as well as valid authentication tokens, account information, session data, and marketing tags in the “Cookies” folder. While this vulnerability is severe, it does require a malicious actor to already have access to an internal network to exploit.
A Microsoft spokesperson has stated that this does not meet the bar for immediate servicing as it requires an attacker to already have access to a target network
Mitigations: Currently the only recommended mitigation is to use the web-based Teams client inside of Microsoft Edge, which has multiple OS-level controls to protect token leaks.
Indicators of Compromise: Any process other than Teams.exe attempting to access the following file paths: • [Windows] %AppData%\Microsoft\Teams\Cookies • [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb • [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies • [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb • [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies • [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb
CyFlare Actions Taken: • Stellar Cyber – BDS: The SOC has created a global ATH rule in order to detect any access to the file paths listed in the indicators of compromise. • SentinelOne: A custom STAR query is being implemented to detect abnormal access to the file paths listed in the indicators of compromise section • AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.
Developing Situation: The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.