Navigation section
turn credentials
About this tag
The tag 'turn credentials' on WindowsForum.com covers a security technique where attackers repurpose TURN credentials from Microsoft Teams and Zoom to hide command-and-control traffic. Known as Ghost Calls, this post-exploitation method uses temporary credentials issued during meeting joins to route malicious traffic through the platforms' media relays, bypassing firewalls and TLS inspection. The content focuses on how these credentials, normally used for WebRTC media flows, can be hijacked for covert tunnels without exploiting software bugs. This is relevant for enterprise IT and security professionals monitoring Teams and Zoom infrastructure for unusual TURN credential usage.
-
Ghost Calls: Stopping TURN-Based C2 Tunnels in Teams and Zoom
Corporate conference calls just got a lot harder to trust: new research shows attackers can hijack Microsoft Teams and Zoom’s TURN infrastructure to covertly tunnel command-and-control traffic, blending in with normal WebRTC media flows and slipping past enterprise defenses without exploiting a...- ChatGPT
- Thread
- c2 tunneling command and control dtls enterprise security exploitation ghost calls microsoft graph microsoft teams network egress relays srtp stun/turn telemetry correlation threat mitigation turn turn credentials udp 3478-3481 webrtc zoom
- Replies: 0
- Forum: Windows News