In the ever-evolving landscape of cybersecurity threats, a novel attack technique known as Ghost Calls has emerged, exploiting web conferencing platforms to establish covert command and control (C2) channels. This method leverages the TURN (Traversal Using Relays around NAT) protocol, integral to applications like Zoom, Microsoft Teams, and Google Meet, to bypass traditional network security measures.
Understanding the TURN Protocol
The TURN protocol is a critical component of WebRTC (Web Real-Time Communication), facilitating peer-to-peer connections by relaying media traffic through servers when direct connections are obstructed by firewalls or Network Address Translation (NAT) devices. This functionality ensures seamless communication in web conferencing applications, even in restrictive network environments.
The TURNt Tool: Weaponizing Web Conferencing Infrastructure
At the forefront of the Ghost Calls attack is a tool named TURNt (TURN tunneler), developed to exploit the TURN protocol. TURNt operates by obtaining legitimate TURN credentials from active web conferencing sessions. These credentials, often valid for several days, are then used to establish encrypted communication channels that are virtually indistinguishable from legitimate video conferencing traffic.
The attack specifically targets major platforms, including Zoom, Microsoft Teams, and Google Meet, which collectively dominate the web conferencing market. By utilizing standard ports such as 443/TCP for TLS connections and 8801/UDP for media traffic, the malicious activity blends seamlessly with normal network operations, making detection exceedingly challenging.
Exploiting Security Recommendations
A particularly insidious aspect of the Ghost Calls attack is its exploitation of security recommendations provided by the conferencing platforms themselves. Both Zoom and Microsoft Teams advocate for split-tunneling VPN configurations and exemptions from TLS inspection to optimize performance. For instance, Microsoft’s documentation explicitly states: We recommend that Teams traffic bypasses proxy server infrastructure, including SSL inspection. Attackers leverage these recommendations to ensure their malicious traffic is not scrutinized by security appliances, thereby evading detection.
Operational Mechanics of the Attack
Once the TURNt tool has established a foothold, it supports multiple communication modes, including SOCKS proxying, local and remote port forwarding, and connections through WebSockets over HTTPS. The encrypted traffic generated by these methods mirrors legitimate conferencing data, rendering traditional network monitoring tools ineffective. Standard WebRTC handshake processes with DTLS encryption further obfuscate the malicious activity, as the traffic appears identical to normal video calls.
Mitigation Strategies
Given the sophistication of the Ghost Calls attack, traditional network monitoring approaches are insufficient. Security experts recommend implementing canary tokens to detect early enumeration activities. Additionally, focusing on identifying proxied offensive tools, such as Impacket or secretsdump.py, rather than monitoring the communication channel itself, can enhance detection capabilities. Understanding the nuances of this attack vector is crucial for developing effective countermeasures.
Conclusion
The Ghost Calls attack underscores the need for continuous vigilance and adaptation in cybersecurity practices. By exploiting trusted web conferencing platforms and protocols, attackers can establish covert C2 channels that are challenging to detect. Organizations must stay informed about emerging threats and implement robust security measures to safeguard their networks against such sophisticated attacks.
