DragonForce Ransomware Group Uses Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
What Happened — Researchers at Broadcom‑owned Symantec and Carbon Black identified a custom Go‑based RAT, Backdoor.Turn, being deployed by the DragonForce ransomware gang. The malware tunnels its command‑and‑control (C2) traffic through Microsoft Teams relay infrastructure, effectively using a legitimate SaaS channel to evade detection. The campaign targeted a large U.S. services firm.
Why It Matters for Compliance & Audit Readiness
- This is a textbook example of a third‑party supply‑chain abuse that SOC 2 vendor‑management controls are designed to detect and mitigate.
- Continuous monitoring of SaaS integrations (e.g., Teams) provides audit‑ready evidence that you are exercising due diligence over third‑party risk.
- Mapping this incident to the SOC 2 CC6.1 (Vendor Management) control helps demonstrate a defensible posture during audits.
Who Is Affected — Professional services organizations, consulting firms, and any enterprise that relies on Microsoft Teams for collaboration.
Recommended Actions
- Review and tighten Teams app‑permission policies; enforce least‑privilege and restrict external relay usage.
- Integrate automated SaaS‑risk monitoring into your SOC 2 vendor‑risk program to capture evidence of control effectiveness.
- Conduct a focused audit of third‑party C2 channels and update incident‑response playbooks to include SaaS‑based exfiltration vectors.
Technical Notes – The backdoor is written in Go, leverages Microsoft Teams’ relay service to blend malicious traffic with legitimate collaboration traffic, and was observed in the wild against a U.S. services firm. No public CVE is associated; the technique exploits trusted cloud infrastructure rather than a software flaw.
Source: The Hacker News