Ghost Calls: Stealthy C2 Attack Exploits Zoom, Teams, and Meet

A novel attack technique dubbed “Ghost Calls” has emerged, exploiting web conferencing platforms like Zoom, Microsoft Teams, and Google Meet to create covert command and control (C2) channels. This sophisticated method allows attackers to bypass traditional network security measures, making it a significant concern for cybersecurity professionals.

The Ghost Calls attack leverages the TURN (Traversal Using Relays around NAT) protocol, which is essential for WebRTC communications. TURN servers enable peer-to-peer connections through firewalls and NAT devices. The attack utilizes a tool called TURNt (TURN tunneler) to abuse this protocol by obtaining TURN credentials from legitimate web conferencing sessions.

This approach is particularly insidious because it exploits security recommendations from conferencing providers themselves. Both Zoom and Microsoft Teams officially recommend split-tunneling VPN configurations and exemptions from TLS inspection to optimize performance, inadvertently creating opportunities for attackers.

The primary impact of the Ghost Calls attack is the establishment of covert command and control channels that are difficult to detect. The encrypted traffic appears identical to normal video calls, defeating traditional network monitoring techniques. This allows attackers to perform data theft and other malicious activities without being easily identified.

The attack leverages standard ports like 443/TCP for TLS connections and 8801/UDP for media traffic, further complicating detection efforts. By blending seamlessly with enterprise-approved traffic patterns, Ghost Calls presents a significant challenge to network security.

The Ghost Calls attack involves specific tactics, techniques, and procedures (TTPs) that security professionals should be aware of:

• TA0011 – Command and Control: Attackers establish covert communication channels to control compromised systems.
• TA0005 – Defense Evasion: Attackers use traffic obfuscation and legitimate web services to evade detection.
• T1102 – Web Service: Attackers use web services like Zoom, Microsoft Teams, and Google Meet to blend malicious traffic with legitimate communications.
• T1027 – Traffic Obfuscation: The attack leverages standard ports and encryption to hide malicious activity within normal network traffic.

Traditional network monitoring approaches are largely ineffective against Ghost Calls attacks. Security experts recommend the following mitigation strategies:

• Implement canary tokens: Use canary tokens to detect early enumeration activities.
• Focus on identifying proxied offensive tools: Rather than monitoring the communication channel itself, focus on identifying proxied offensive tools like Impacket or secretsdump.py.
• Enhance endpoint security: Improve endpoint detection and response (EDR) capabilities to identify malicious activities originating from compromised systems.
• Review VPN configurations: Re-evaluate split-tunneling VPN configurations and TLS inspection exemptions to balance performance optimization with security risks.

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.