DragonForce Ransomware Hides C2 in Microsoft Teams TURN Relay, Evading Detection for Two Months
What Happened — DragonForce ransomware operators compromised a major U.S. services firm and concealed their command‑and‑control (C2) traffic by routing it through Microsoft Teams TURN relay servers. The custom backdoor Backdoor.Turn mimicked normal Teams traffic, remaining undetected for one to two months while the attackers harvested credentials, mapped Active Directory, and moved laterally.
Why It Matters for Compliance & Audit Readiness
- The abuse of a legitimate cloud service illustrates a control‑gap where existing network monitoring controls cannot differentiate benign from malicious traffic – a scenario SOC 2 continuous‑monitoring controls are designed to catch and document.
- Mapping this technique to your security control framework (e.g., CC6.1 Network Security, CC7.1 System Operations) provides audit‑ready evidence that you have validated the integrity of third‑party communication channels.
- Verisq’s Control Mapping capability can automatically correlate such misuse events to the relevant SOC 2 controls and generate continuous evidence for auditors.
Who Is Affected – Large professional services firms, managed service providers, and any organization that relies on Microsoft Teams for collaboration.
Recommended Actions
- Review and tighten controls around the use of TURN/relay services in your network segmentation and monitoring policies.
- Add detection rules that flag anomalous QUIC sessions to Microsoft TURN endpoints and correlate them with endpoint process injection indicators.
- Document the investigation and remediation steps in your SOC 2 evidence repository to demonstrate due diligence.
Technical Notes – The attackers initially entered via an unknown SQL/MSSQL vulnerability, used a BYOVD technique against signed drivers (including a Huawei driver), and injected the backdoor into DbgView64.exe. Traffic was encapsulated in a QUIC session over a legitimate Teams TURN relay, making it appear as normal Teams activity. Source: SecurityAffairs