Smart collaboration and the hidden risks of TURN server hijacking

Darren Guccione at Keeper Security describes how collaboration tools can become cyber-attack platforms

 

In an era defined by hybrid work, collaboration platforms like Microsoft Teams and Zoom have become the backbone of enterprise communications. Connecting teams globally, streamlining projects and enabling seamless business continuity, it’s impossible to imagine organisations today operating efficiently without them.

 

Recent research, however, has revealed how these important tools can be weaponised in ways that bypass traditional defences entirely.

 

Ghost Calls, which exploit Traversal Using Relays around NAT (TURN) servers to hijack conferencing sessions, comprise yet another concerning attack vector in cyber-criminals’ ever-expanding toolkit. Seizing temporary credentials issued to legitimate users, attackers can tunnel malicious activity through infrastructure that organisations inherently whitelist. Once inside the network, adversaries can move undetected, operating within the boundaries of approved business activity.

 

 

When unauthorised access goes undetected

Platforms like Teams and Zoom don’t only provide a vital means of communication; they have also evolved into critical business systems, integrating with document repositories, project management platforms and identity providers. For many organisations, the lines between “communication” and “core infrastructure” have blurred. Cyber-criminals recognise this and view these platforms as ideal launchpads for nefarious activity.

 

Hijacking TURN credentials enables threat actors to:

• Establish covert command-and-control channels inside organisational networks.
• Evade perimeter defences by blending malicious traffic with legitimate business flows.
• Maintain persistent access without leaving the traditional forensic footprints of malware or phishing campaigns.

When these tools are integrated with Single Sign-On (SSO) environments or hold elevated permissions to other systems, the threat level is significantly elevated. Without the proper security controls in place, a compromised session in a collaboration platform can quickly cascade into a breach affecting finance, HR, customer data or intellectual property.

 

This scenario represents a blueprint for long-term compromise in high-value environments. The challenge lies in the fact that collaboration tools are often treated as “low risk” because they sit outside of traditional critical infrastructure lists.

 

 

Securing collaboration tools with privileged access management

Cyber-security leaders should recognise that collaboration platforms form part of the organisation’s privileged access ecosystem and must be protected with the same rigour as administrative consoles or sensitive databases. That means:

• Applying zero-trust principles to every session, ensuring that no collaboration traffic is implicitly trusted.
• Enforcing least privilege so that conferencing accounts and integrations have only the minimum rights required to function.
• Implementing continuous monitoring for unusual behaviours, such as unexpected data transfers, atypical session durations or new device connections during calls.
• Segmenting access paths so even if a session is hijacked, the attacker cannot move laterally into other systems without hitting additional authentication barriers.

The rise of Ghost Calls as an attack technique is another reminder that malicious cyber-actors will always seek out blind spots in organisational security. It also highlights how trusted business tools are viewed as prime candidates because of the implicit trust that is placed in them. As collaboration platforms continue to become more deeply embedded in enterprise workflows, the cost of treating them as peripheral systems grows exponentially.

 

Every connection is a potential entry point today. By enforcing least privilege, isolating sensitive resources, and continuously monitoring every privileged session, modern Privileged Access Management (PAM) solutions can shut down the covert pathways that attacks like TURN server hijacking rely on, preventing hackers from using trusted collaboration tools as command-and-control channels.

 

---

 

Darren Guccione is CEO And Co-Founder of Keeper Security

 

Main image courtesy of iStockPhoto.com and Kateryna Onyshchuk