New Ghost Calls tactic abuses Zoom and Microsoft Teams for C2 operations
What’s new: A new command-and-control (C2) evasion method called ‘Ghost Calls’ has been identified, which abuses TURN servers used by Zoom and Microsoft Teams to tunnel traffic through trusted infrastructure. This technique allows attackers to bypass defenses without exploiting vulnerabilities, using legitimate credentials and WebRTC to disguise malicious traffic as regular video conferencing data.
Who’s affected
Organizations using Zoom and Microsoft Teams for conferencing may be at risk, as the Ghost Calls tactic can exploit their infrastructure for covert C2 operations.
What to do
- Monitor network traffic for unusual patterns that may indicate the use of TURN-based tunneling.
- Review and enhance firewall and proxy configurations to detect and block unauthorized use of TURN servers.
- Educate employees about potential risks associated with web conferencing tools and encourage reporting of suspicious activity.
Sources
