A new evasion technique called βGhost Callsβ manipulates TURN servers used by conferencing apps like Zoom and Microsoft Teams to hide C2 traffic within legitimate video conferencing data. This method allows attackers to bypass firewalls and encryption, making malicious communication difficult to detect. #GhostCalls #TURNservers
Keypoints
- Ghost Calls exploits TURN servers used by Zoom and Teams for covert C2 communication.
- The technique bypasses firewalls, proxies, and TLS inspection by blending into normal enterprise traffic.
- It uses WebRTC protocols and legitimate credentials to establish secure tunnels for data exfiltration and control.
- Praetorian developed an open-source tool called βTURNtβ to facilitate this tunneling method.
- The technique does not rely on vulnerabilities in conferencing apps but utilizes their infrastructure for malicious purposes.