The Vectra vulnerability in Microsoft Teams has been generating significant attention in the digital landscape since it was revealed in a blog post published in September 2022.
The cybersecurity firm revealed a potentially serious flaw in the security of the desktop version of the popular UCaaS and collaboration service, related to the storage of authentication tokens. Vectra revealed authentication tokens on Teams desktop service are held in plain text files, meaning they’re vulnerable to third-party attacks.
As countless new companies flock to Teams, transforming it into an all-in-one solution for CCaaS, UCaaS, and collaboration, security issues like this are difficult to ignore. Here’s everything business leaders need to know to ensure the vulnerability Vectra revealed doesn’t impact their teams.
What is the Vectra Vulnerability Issue?
In August 2022, a Vectra Protect customer complained about an issue with identity management in Teams, prompting the brand’s experts to examine the ways account information can be stored within a Microsoft Teams client.
During their research, the Vectra team found the Teams desktop app stores authentication tokens in plain text, making it easier for criminals to potentially steal and use personal data hosted within the Teams environment. The cybersecurity company explained these plain text tokens give attackers the means to “assume the identity” of individuals within a Teams environment, accessing all of the documents, data and features that would be available to the user.
Notably, the tokens are also just as valid for attackers attempting to gain access to MFA (Multifactor authentication) enabled accounts, potentially allowing criminals to bypass common authentication methods. The issue affects all desktop versions of the Teams app based on the Electron framework, running across Windows, Linux, and MacOS machines.
Though common in the technology world, Electron, like every application framework, has its own idiosyncrasies related to security and authentication. Open-source solutions like Electron are popular tools for making development processes easier and faster, but they do have their issues.
The Electron framework doesn’t support file encryption or location protection, which prevents credentials from being properly secured during storage. This isn’t the first time Electron security issues have been identified by industry analysts. Previous bugs have been discovered in the system capable of disrupting the performance of apps from Microsoft, Discord, and many others.
How Severe is the Vectra Vulnerability?
While the flaw only affects desktop versions of the Microsoft Teams app (not browser versions), it could still potentially pose a number of problems to Teams users.
According to a Vectra Researcher, Connor Peoples, it’s not just the threat of one account being compromised that companies have to worry about. If attackers have the opportunity to take control of critical seats within a business through Teams, they can perform tasks that would potentially damage the operations of the entire organization.
Not only could access to the tokens provide attackers with a means to assume the identity of a user within Teams, but it could also allow them to tamper with crucial communications within a business, according to Vectra. Attackers could potentially destroy data, edit messages, and even engage in targeted phishing attacks, while posing as an authentic team member.
Vectra developed a proof-of-concept document to share with Microsoft, covering the details of the exploit, to request a fix. However, when the issue was introduced to the Microsoft team, it wasn’t considered a major threat by the security experts.
Is Microsoft Fixing the Vectra Vulnerability?
A Microsoft spokesperson issued a statement to “Bleeping Computer”, saying the security issue described wasn’t classified as an issue that required immediate servicing. According to the Microsoft Team, the flaw isn’t a significant threat, because it requires an attacker to gain access to a target network before they can steal user credentials.
This doesn’t necessarily mean that a solution isn’t on the horizon, however. In 2021, Microsoft began working on a web-based version of the new “Teams 2.0” desktop app, which eliminates the Electron framework, switching instead to Edge Webview 2. The latest version of the Microsoft Teams app for Windows, which entered public preview in March 2023, may provide Windows users with an opportunity to bypass the security flaw entirely.
At the same time, the updated Teams app comes with a variety of bonus features to explore, including Microsoft’s recent innovations in the generative AI world, with Microsoft CoPilot.
The updated Teams solution should provide a higher degree of OS-level security to companies, helping to protect storage and cookies made vulnerable by Electron. However, it’s difficult to know for certain when this new solution will be available to all desktop users.
How Can Companies Defend Against the Vectra Vulnerability?
Although the Vectra vulnerability in Microsoft Teams might be worrying for some business leaders, it’s worth noting that there are ways for companies to protect themselves, even before the new version of the desktop app is available.
Even Vectra has noted that in its interactions with customers, only organizations with higher exposure to sophisticated attackers are considering removing the old Teams desktop app from their network. Instead, many organizations are simply implementing endpoint protection and response monitoring policies, to watch for instances of unauthorized access to file storage locations for tokens.
For those continuing to use the desktop version of the app with the Vectra vulnerability, endpoint and access monitoring tools could be an excellent way to reduce security concerns. By watching application files closely, security teams can determine whether tokens are leveraged for any other processes outside of the official Teams application.
Alternatively, businesses can always consider switching to the web-based client for Teams, which comes with multiple OS-level controls as standard to protect against token leaks.
Microsoft has worked to make the web application just as robust and intuitive as the desktop app, so switching to a web-based solution shouldn’t have a major impact on team productivity.
from UC Today https://ift.tt/ky6o2Ea
0 Comments