Trustwave, a Top 200 MSSP, has discovered a Microsoft Teams Updater vulnerability that enables cybercriminals to use the "Living Off the Land" technique to download a binary or payload onto a victim's computer.
Microsoft previously provided a Teams patch to restrict Updater's ability to update via a URL, Trustwave indicated. However, cybercriminals can bypass this restriction by setting up a remote Server Message Block (SMB) shared folder.
To exploit the Teams Updater vulnerability, cybercriminals must access a network file in an end-user's open shared folders, Trustwave noted. Then, they can access a payload from that folder and apply it to a victim's computer.
How to Combat the Microsoft Teams Updater Vulnerability
Trustwave offered the following recommendations to help organizations combat the Teams Updater vulnerability:
- Use endpoint detection and response (EDR) solutions and find "update.exe" command lines for suspicious connections.
- Search for squirrel.exe executables and investigate the file size; this enables end-users to distinguish trojan squirrels from the legitimate squirrel.exe.
- Evaluate outgoing SMB connections from Teams or filter SMB connections at the perimeter.
- Identify any security exclusions on Microsoft Teams packages and review any applied changes.
- Install Microsoft Teams under the "Program Files" folder; this can be carried out via Group policy.
- Disable any update mechanisms.
Also, Trustwave is encouraging organizations to establish a policy relating to Teams updates. This policy should require organizations to allow authorized IT professionals only to update Teams across all departments.
Are Cybercriminals Targeting Microsoft Teams Users?
The coronavirus (COVID-19) pandemic has led many organizations to let their employees work remotely. As such, the demand for Teams and other remote work solutions has increased, and organizations must plan accordingly.
Approximately 89 percent of organizations have been targeted by coronavirus-related malware, a study VMware's "Extended Enterprise Under Threat" report revealed. Furthermore, the report indicated that security teams and business leaders must work together to identify and stop coronavirus-related cyberattacks.