‘Ghost Calls’ Attack Exploits Web Conferencing as Hidden Command-and-Control Channel

‘Ghost Calls’ Attack Exploits Web Conferencing as Hidden Command-and-Control Channel

Security researchers have unveiled a sophisticated new attack technique called “Ghost Calls” that exploits popular web conferencing platforms to establish covert command-and-control (C2) channels, effectively turning trusted business communication tools into hidden pathways for cybercriminals.

The technique, presented by Adam Crosser from Praetorian at Black Hat USA 2025, demonstrates how attackers can abuse the TURN (Traversal Using Relays around NAT) protocol used by major platforms including Zoom, Microsoft Teams, and Google Meet to create stealthy tunnels for malicious activities.

Exploiting Trusted Infrastructure

The Ghost Calls method leverages the inherent trust that enterprises place in web conferencing solutions.

With Zoom commanding 55.91% market share and Microsoft Teams holding 32.29%, these platforms represent highly trusted communication channels that often bypass traditional security controls.

“Web conferencing solutions provide a compelling vector for covert short-term command and control channels,” Crosser explained during his presentation.

The attack exploits TURN servers—critical infrastructure components that help establish connections between users behind firewalls and NAT devices.

What makes this technique particularly dangerous is that many organizations explicitly exclude web conferencing traffic from security inspection.

Zoom Web Client Egress Attempts

Microsoft Teams and Zoom both recommend split tunneling configurations that bypass VPNs, and many security policies exempt these platforms from TLS inspection to maintain call quality.

The researchers developed TURNt (TURN tunneler), an open-source tool that demonstrates the attack’s capabilities.

The tool can establish remote port forwarding, local port forwarding, SOCKS proxying, and decentralized C2 communications—all while appearing as legitimate conferencing traffic.

Particularly concerning is the persistence of TURN credentials, which typically remain valid for several days and don’t require active meetings or installations on victim systems. This allows attackers to maintain access even after initial compromise.

The attack presents significant detection challenges for security teams. Network traffic appears legitimate, using standard TLS encryption over port 443, making it nearly indistinguishable from genuine web conferencing activity.

Traditional monitoring approaches focusing on traffic volume or process correlation generate too many false positives.

Rather than attempting to detect the technique directly, researchers recommend focusing on other elements of the attack chain.

Effective countermeasures include deploying canary tokens to detect unauthorized access attempts and monitoring for specific offensive tools like Impacket or secretsdump.py that attackers might proxy through these channels.

The research highlights a broader trend of attackers exploiting trusted business applications to evade detection, forcing security teams to rethink traditional perimeter-based defense strategies in an era of ubiquitous cloud communications.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free


Source link