CyFlare SOC Advisory – Microsoft Teams Vulnerability
Incident Report for CyFlare
Monitoring
Posted Date: 9/16/2022
Published Date:
Source(s): Vectra.AI
Sector: Security Vulnerability
Reported by: Vectra Protect Team
Date(s) Issued:
Subject: An attack path was discovered that would enable malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in
OVERVIEW: Malicious actors can exploit a vulnerability in the current Microsoft Teams application that could allow access to authentication tokens and accounts with multi-factor authentication enabled
SYSTEMS AFFECTED:
• Windows Operating Systems (all versions)
• Linux Operating Systems (all versions)
• Mac Operating Systems (all versions)

RISK:
Anyone who is currently using the Microsoft Teams desktop application
THREAT SUMMARY:
In August 2022, the Vectra Protect team discovered an attack path that would enable malicious actors access to authentication tokens and accounts even with multi-factor authentication enabled. Microsoft teams is an Electron app, the issue stems from the fact that Electron does not support encryption or protected file locations. The Vectra Protect Team discovered that the Microsoft Teams application stores these access tokens in clear text in an “ldb” file, as well as valid authentication tokens, account information, session data, and marketing tags in the “Cookies” folder. While this vulnerability is severe, it does require a malicious actor to already have access to an internal network to exploit.

A Microsoft spokesperson has stated that this does not meet the bar for immediate servicing as it requires an attacker to already have access to a target network


Mitigations:
Currently the only recommended mitigation is to use the web-based Teams client inside of Microsoft Edge, which has multiple OS-level controls to protect token leaks.


Indicators of Compromise:
Any process other than Teams.exe attempting to access the following file paths:
• [Windows] %AppData%\Microsoft\Teams\Cookies
• [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb
• [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies
• [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb
• [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies
• [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb


CyFlare Actions Taken:
• Stellar Cyber – BDS: The SOC has created a global ATH rule in order to detect any access to the file paths listed in the indicators of compromise.
• SentinelOne: A custom STAR query is being implemented to detect abnormal access to the file paths listed in the indicators of compromise section
• AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community.

Developing Situation:
The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.

Reference Links:

https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
https://www.darkreading.com/vulnerabilities-threats/token-mining-weakness-microsoft-teams-perfect-phish


Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC
Posted Sep 16, 2022 - 23:01 EDT