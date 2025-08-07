Threat Intelligence, Identity, Network Security

Microsoft Teams, Zoom TURN servers leveraged by novel Ghost Calls C2 bypass method

Microsoft teams logo on a smartphone

(Adobe Stock)

BleepingComputer reports that Microsoft Teams, Zoom, and other video-conferencing apps could have their Traversal Using Relays around NAT servers exploited for traffic tunneling through the new Ghost Calls post-exploitation command-and-control bypass tactic.

Temporary TURN credentials provided when joining Teams or Zoom meetings could be taken over by Ghost Calls to facilitate the creation of TURN-based WebRTC client that could then be leveraged by attackers to achieve arbitrary data proxying or C2 traffic concealment while benefitting from reliable connectivity, according to a Praetorian study presented at Black Hat USA 2025. Praetorian researchers were able to tunnel traffic through the custom open-source TURNt utility, which includes a Controller for the threat actor that executes a SOCKS proxy server to approve TURN-tunneled connections and a Relay for the impacted host device. Neither Microsoft nor Zoom has disclosed whether more security measures will be implemented to prevent the occurrence of such an intrusion.

Related

Nascent HTTP request smuggling attacks have widespread impact

SecurityWeek reports that multiple major organizations, popular content delivery networks, and websites have been compromised with new versions of the HTTP request smuggling attack technique, also known as desync attack, which involves the delivery of malicious requests to facilitate session theft, web cache poisoning, or phishing site redirections.

Key cybersecurity threats identified in new report

SiliconANGLE reports that organizations are having their cybersecurity most threatened by cyberattacks powered by artificial intelligence, zero-day exploits, and cybercrime syndicates, with phishing, ransomware, insider threats, and credential breaches being among the most prevalent attack vectors.

TDS services tapped by SocGholish malware operators

TDS services tapped by SocGholish malware operators Intrusions involving the SocGholish malware, also known as FakeUpdates, have been facilitated by the TA569 threat operation, also known as Mustard Tempest, Gold Prelude, Purple Vallhund, and UNC1543, through traffic distribution systems Parrot TDS and Keitaro TDS, according to The Hacker News.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Demilitarized Zone (DMZ)Dictionary AttackDigest AuthenticationDisruptionDistributed ScansDomainDomain NameDumpSecDumpster DivingDynamic Routing Protocol

You can skip this ad in 5 seconds