Cybersecurity researchers have uncovered a sophisticated attack technique being employed by the DragonForce ransomware group, demonstrating how threat actors continue to leverage legitimate services to mask their malicious activities. The attack specifically targets Microsoft Teams relay infrastructure to hide command-and-control communications, highlighting the evolving tactics of ransomware operators in their efforts to bypass security defenses.
According to a report from security researchers at Symantec and Carbon Black, both under Broadcom, the DragonForce hackers have developed a custom Go-based remote access trojan (RAT) named Backdoor.Turn. This malware was deployed against a major U.S. services firm, though the company's name has not been disclosed for security reasons. The attackers specifically designed Backdoor.Turn to exploit Microsoft Teams relay servers, effectively camouflaging their malicious command-and-control traffic within legitimate-looking communications. This approach allows the attackers to blend in with normal network traffic, making detection significantly more challenging for security systems.
The abuse of Microsoft Teams relays represents a clever evasion technique. Teams relay infrastructure is designed to facilitate seamless communication for remote workers, routing traffic through Microsoft's servers when direct connections are hindered by network restrictions. By hijacking this legitimate functionality, DragonForce actors can establish persistent, covert communication channels with their backdoor while appearing as normal Teams traffic to security monitoring tools.
For security teams, this discovery has significant implications. Traditional security controls that rely on identifying suspicious network traffic patterns may fail to
Comments (0)
Leave a Comment
No comments yet. Be the first to comment!