Abusing MS Teams Sec Misconfigs for Webhook Hijacking

hi everyone thank you for coming to my talk today called gone tiing um today I will be talking about abusing Microsoft team security misconfigurations for web hook hijacking and taking those web hooks to do some other fun Shenanigans so without further Ado let's dive in a little bit about me I'm a red teamer in healthcare um I'm in information security testing analyst or penetration tester at a healthc care company in Minneapolis Minnesota um some of my research interests include the cloud and iot security specifically in the cloud I like to do um offensive attacks and then when I talk about iot it's more um Defcon badge life um so I like to do that when I'm not doing my

web app tests throughout the year something I like like to do in my free time is I'm a yoga instructor and Runner and I'm also a dog parent so since I am talking about a dog I wanted to include a picture of him this is atlas um I chose this picture because he's centered in the screen but um yeah if you like my talk today feel free to give me a follow on Twitter or LinkedIn um in addition if you have any questions before I begin my talk I want to do a little brief overview of what I'm going to be talking about today so beginning with the background um what functionalities within teams cause the

vulnerability I'm going to discuss um the vulnerability itself what is it and then how can we use this vulnerability to exploit teams and create a fishing engagement which is super exciting um after I go into that exploit I'm going to talk about some detection and prevention procedures um so we have this exploit what can we do to prevent it um and then just a conclusion of why do a teams fishing engagement versus the normal email type of engagement at your company um and some pros and cons

there so to begin team connectors um what team connectors are are the it's a functionality within teams that allows you to integrate third-party applications um when I talk about applications think about like service now GitHub or Jenkins um some things say if a developer wants notifications for within teams um connectors allow that those notifications do be sent into teams um kind of a more formal definition here would be to deliver thirdparty content or service updates into a team Channel um but it's a really cool functionality that a lot of real organizations use um I included a screenshot to the left here of a test Channel and how to kind of see the different connectors that are within

that channel and then to the right are some different options so yeah you can see what's configured within the channel and also um some other things you can add um since we're talking about connector these connectors use something called Web hooks these web hooks can kind of be thought of as a URL token um or secret so when a developer is integrating a thirdparty application within a certain Channel this web hook kind of serves as that means of communication so um if they are configuring saying like a GitHub notification into their development Channel this web hook kind of is the security security that says this is the GitHub um project and this is the channel That I

Want To semi notifications too um again a more formal definition would be a userdefined HTTP callback that communicates real-time data into teams um so if a developer makes a change within a GitHub environment um that would be communicated in real time into their channel so say if they pushed a prod and they're not supposed to push to prod um all the developers would know because that notification would be sent into teams um usually there's a link here that they can click that would redirect them to the change that was made um and again just not to sound repetitive but they're kind of work with the connectors to allow external web services to interact with channels um

and some popular use cases here like I mentioned would be the developer system maintenance notifications that is made within a development team or environment um you often see like Jenkins bitbucket um service now um but really a lot of different um third-party applications that someone could use for

development and this right here is just a screenshot of what a incoming web hook would look like that has been configured within a channel um so you see like the name I just use third party notification but if you're using something like GitHub or Jenkins it would be like Jenkins prod update or something um you can upload an image um and right here where you see the view web hook here um text that would actually be your secret so that would be the URL that someone would use um or the web hook that would show GitHub and show Chan channels that this is the correct means of communication and this screenshot also shows how these connectors work with web

hooks together to help these third-party applications work for developers and improve their development process so what do you think the vulnerability here is and how can it occur um the answers in the meme so I'll give everyone a few seconds um to kind of think about it so we have a web hook um that communicates between these thirdparty apps in a channel that sends notifications a lot of people are seeing these notifications um so kind of thinking about that um it's a secret so think do we really want everyone to see this web hook here um so the vulnerability would actually be the default configurations um so in Microsoft teams um the default configuration would be

anyone that has access to these channels um could actually see that web hook so say if there's an Insider threat or someone's um credentials were stolen um they can actually go in and steal this web hook and do some Shenanigans with it which is really concerning and often the people who are integrating these web hooks within teams um don't think about that so they just have this default configuration that allows anyone in the organization or channel to view it and right here is just a kind of a demo of how someone can go in and steal a web hook that is integrated within teams um so this is a test Channel and kind of letting it run through one more

time but see they can go easily just go into and configured and see all the different web hooks that are configured um click managed scroll down obviously I'm not showing the secret here but um where it says copy the URL below that would be the web hook um and if you would like to see a full kind of page screenshot of this um the full screenshot is in slide six so when the slides are posted um go ahead and give it a look if you're interested so then you can just copy and paste the URL from this page and now you have a token so now what you have the secret that communicates a notification

um thirdparty application notification within a teams Channel environment so what can you do with it um actually a lot of things so in this instance um I made a credential Harvester because I knew that a lot of developers probably had um escalated privileges that maybe would allow me to see source code or other Secrets within a organization so I thought why not make this a credential Harvester so if I create a message that looks legitimate they'll click the link send them to a say signin page and I would get their credentials from there to do some other bad stuff so that was the idea here when I found that these web hooks were exposed to me as a

Insider threat um right here is just an example so the upper screenshot is a screenshot from Postman um where you see the post and the text that says hijacked web hook pasted here um that's where I put the web hook that I stole to make sure that I was communicating with the correct Channel um in this case the channel I wanted to communicate with was a service nail channel that um sent service nail notifications um the little highlighted red boox is a UR URI to the fishing landing page I created um or the credential Harvester and then the below screenshot is what it actually looked like within a teams channel so I would say it looked pretty legitimate um if I

was a maintenance team member or a developer I wouldn't think twice and I would just click that view change request in service now and give in some of my credentials and then going into how I created the landing page or the itial Harvester um I used an open- Source toolkit called goish um goish was really cool it allowed me to create this kind of fake Microsoft signin page um and what's really cool about goish is that um even though it was made for email um it can actually be since it's open sourced um changed to be um customized to whatever you need need um so for this instance I customized it to be for to

just give me that URI that I can send um in my Postman requests um another really cool thing about goish is it does data analytics so it told me who clicked the link um who submitted credentials and then um if I wanted to I could see the credentials since this was a corporate environment um I did not go with that option because in Go Fish those credentials are sent over clear plain text um you can also go in and have it show you um go in and configure it to show you the specific IPS that click the link um which is another really cool feature of this tool I used so after I sent these messages

within teams um what did I do right so we found a successful attack factor for fishing now what um you really just have to wait you have to wait and see what type of results you get um and what comes out of it um initially the messages I first sent looked very very similar um pretty much exactly like a normal message um which didn't get too many clicks from the developers um since there's so usually so many that are sent throughout the day um so I kind of took this information I got and started sending purposely suspicious looking messages to kind of see how people would react and what would happen um fortunately when I

did start sending these messages um people caught on and were able to report it and kind of conclude the engagement so if you decide to do this at your organization um just know that the detection might be a little different within teams because it's not something people are looking for but um you can always adjust it and customize it to um fit your needs or your goals of this social um engineering engagement and now that we've talked about the how we've done this whole T um whole attack and what allowed it to happen um let's dive into some solutions so let's first begin with detection so tising or teams fishing notifications are actually very similar to detect to fishing emails so

something you'd want to look out for is any misspellings um also in the link domain if it looks not right um that is another thing that shows if it's fishing and then also if the certificate isn't legitimate um that's a really big red flag so kind of leading into prevention so when you are doing your employee security awareness trainings teaching employees that fishing can occur outside the email inbox it can actually occur anywhere like in teams and I feel like a lot of um employees just trust teams um but they also should be aware that these kind of attacks can still happen um another method for prevention is doing a reporting process or something called a see something say

something protocol so usually a fishing email is super easy to report within Outlook there's a um little functionality for it but um this is a little different um so creating a procedure where someone at the company sees something just suspicious looking um allowing them to report it easily to the security team so it can be fixed and the last Point here is to just watch for misc configurations um since this was a default configuration it is a very common one so making sure that it doesn't exist within your team's environment and then also just making sure that um that web web hook um URL or token isn't laying it laying around anywhere for everyone to see um which is

super bad as you just saw with the um engagement and example I gave and then just going into some similarities and differences between a fishing teams engagement versus a email fishing engagement so like what I said before the Sim similarities is the detection and Reporting um the same way of fishing team's message is very similar to Outlook those misspellings the faulty certificate um all those things that you would usually see in a fishing email um and they can also both be used for security awareness trainings which is really awesome um when you are doing that for your organization um but some of the differences um fishing teams messages require an Insider threat or a compromised credentials but for for a

fishing email you just need to know the organization's email domain um another difference is in teams when you send those messages they look very legitimate and those developers aren't going to be given a warning that it's coming from an external Source but in Outlook they are so I feel like Outlook um and those team those email emails um are a lot easier to Tex because there is that warning for them this is especially true if you are sending the sending a teams notification and that landing page has a certificate um usually the browser will not warn the employees so they would believe that it's a real signin page and give their credentials um what else and then also

detection is far less likely in a teams environment just because most employees aren't informed of it um unless it looks obviously fake um and then lastly the fishing team's engagement takes a lot longer because you do have to go in and customize that landing page to fit your needs um within goofish and you also have to do the research of how to even steal the web hook um and all of that and just kind of like why get creative with red team fishing engagements um so why choose to do a team fishing engagement versus the usual email fishing engagement for your organization um you do find other vulnerabilities so in this instance I found that misconfiguration and then

also just the web hooks that are lying around you get to test unconventional reporting procedures so say if a employee sees something suspicious it gets it shows um a tests like how would they report it to the security team um with which is really nice um and this doesn't just apply to the fishing messages with the teams but if they just see something suspicious in an environment how would they report it it gets to test that um you get to learn more about potential open source tools to use for your organization so in this case I got to learn more about goish which made fishing engagements a lot easier for me versus doing it all on my own and then

you also get to challenge your red team so if you tell your red team to create a new fishing engagement um it allows them to have a lot of creativity there that is outside of their annual penetration tests so it's super fun and who doesn't want to challenge the red team am I right so um those are all of my like supporting points that promote doing a creative fishing engagement um versus the annual email fishing that most employees already know how to look out for and then just moving on to the last slide here if you have any questions um my Twitter and Linkedin are on the introduction page and yeah thank you so much for listening to my talk today and

I hope you enjoy the rest of your bsides