Microsoft Teams Updater Abused To Carry Out Living-off-the-Land Attacks

A considerable spike has been observed in the usage of Microsoft Teams collaboration service with millions joining it during the COVID-19 pandemic. Fortunately, before attackers could, researchers have identified a flaw in the Microsoft Teams Updater that rose from the grave.


What happened?

A flaw was discovered in MS Teams Updater by reverse engineers Reegun Richard and Charles Hamilton in July 2019. By exploiting it, a malicious actor could use the MS Teams Updater to download any binary or payload they wished. 
  • In August 2020, experts found that the flaw is a part of a vulnerability fixed earlier. The changes made by the vendor previously could be bypassed.
  • An attacker could exploit the flaw by pointing to a remote SMB share. For that, an attacker needs to first move the file inside the targeted network in open shared folders and also require access to the payload from that share to the victim machine.
  • Another faster way to do it by setting up a Samba server. The attacker could download remote payload, and execute it directly from Microsoft Teams Updater "Update.exe"


The previous patch story

Previous efforts from Microsoft could not stop attackers from abusing Teams to download and run their payloads.
  • The previously provided patch for Teams was aimed at restricting its ability to update via a URL, which was the main factor leading to the exploitation. But a workaround was identified to bypass this restriction.
  • Due to this partially-patched flaw, Microsoft Teams Update.exe binary would act as a LOLbin (Living-off-the-Land binary) to retrieve and execute malware from a remote location.


Safety tips

When installing the Microsoft Teams “update.exe”, users should validate the size and hash of the downloaded installer before executing it. All the outgoing SMB connections, particularly those originating from Microsoft Teams updater, should be thoroughly monitored and assessed.