Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

GIFShell Attack Exploits Teams; Exfiltrates Data Through MS Servers

A new exfiltration technique allows attackers who compromise Microsoft Teams users to exfiltrate data through Microsoft's own servers, making the exfiltration hard to spot by endpoint security products and firewalls, since it looks like legitimate Teams traffic.

The technique, named GIFShell, uses a reverse shell that delivers malicious commands via base64 encoded GIF files in Teams, and exfiltrates the output, also as GIF's, via the Teams infrastructure. The attacker must first somehow convince a user to install a malicious backdoor that executes commands and uploads the results via a GIF URL to a Teams webhook. The backdoor scans the Teams logs for messages with a GIF, extracts the base64 encoded commands and executes them, converting the output to base64 text which is used as the filename for a remote GIF embedded in a Microsoft Teams Survey card that is submitted to the attacker's public webhook.

Microsoft has acknowledged the GIFShell attack, but will not issue a fix, stating that no security boundaries were bypassed, this being a post-exploitation technique.

Johnson, Mic, Understanding the Microsoft Teams Vulnerability: The GIFShell Attack, Latest Hacker News, 20 June 2023. Available online at https://latesthackingnews.com/2023/06/20/understanding-the-microsoft-teams-vulnerability-the-gifshell-attack/.

Verizon 2023 DBIR Available

From the "Dammit - we meant to post this weeks ago" department: Verizon's annual Data Breach Investigations Report is always an interesting read, and we go hunting for it every April/May, when it usually appears. This year's appeared a few weeks ago and is, as usual, very informative. Some interesting factoids:

• 83% of breaches involved external actors, with the majority of attacks financially-motivated, while 19% involved internal actors (sometimes unintentionally though misuse or human error)
• 24% of all breaches involved ransomware; it was used in 62% of incidents committed by organized crime and 59% of financially-motivated incidents
• 50% of all social engineering incidents used pretexting - scenrios invented to trick the victim into giving up information or doing something to enable a breach
• 74% of breaches involve human facors: errors, privilege misuse, theft of credentials or social engineering
• 95% of breaches are financially motivated

It certainly seems like we could obtain high returns from increased efforts in the human factors (education, training and awareness) aspects of our business.

Uncredited, 2023 Data Breach Investigations Report, Verizon, 2023. Available online at https://www.verizon.com/business/en-au/resources/reports/dbir/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.