Cybersecurity researchers have uncovered a striking new threat vector dubbed Ghost Calls. This attack repurposes trusted web conferencing platforms – like Zoom, Microsoft Teams, and Google Meet- as covert command and control (C&C) channels. Using the TURN protocol, the technique quietly tunnels malicious traffic through conferencing infrastructure, effectively blending in with legitimate real-time traffic.
How the Attack Unfolds
Attackers use a tool called TURNt to hijack TURN credentials from genuine WebRTC sessions. These credentials allow them to piggyback on traffic via standard ports (like TCP 443 and UDP 8801), routing commands and data through encrypted video conferencing flows. This means infiltrating environments previously thought secure is now startlingly simple and low-risk.
Why Ghost Calls Are Especially Dangerous
Conferencing tools are often exempted from deep packet inspection and VPN policies to optimize performance. Shadowy C&C tunnels can thereby operate undetected alongside legitimate communications. TURNt can be used to facilitate SOCKS proxying, port forwarding, and even encrypted remote access – all while masquerading as regular video traffic.
Strategic Defense Moves
Traditional monitoring and traffic analysis fall short in detecting this threat. Organizations need layered defense strategies including deployment of “canary tokens” to flag reconnaissance, monitoring for offensive tooling like Impacket, and crafting dedicated detection for misuse of TURN credentials. Custom tooling such as TURNt underscores how existing infrastructure can be weaponized.
Conclusion
Ghost Calls represent a profound shift in attacker tactics—using collaboration platforms as enablers for covert operations. As remote collaboration becomes ubiquitous, defenders must anticipate threats coming from within trusted channels. It’s essential to evolve policies, strengthen protocol-level detection, and scrutinize seemingly benign infrastructure for hidden abuse.
About COE Security
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services
We bolster defenses by assessing and securing conferencing architecture, crafting detection methods for covert tunnels, and designing incident response strategies tailored to WebRTC and collaboration tools.
Follow COE Security on LinkedIn for insights on emerging threats, remote collaboration risks, and strategies for secure, compliant adoption of AI-powered systems.