GIFShell Exploit: When GIFs Go Bad, Collaboration is Dangerous


Gif of an arrow spinning between "GOOD" and "BAD"

It’s a well-known fact that collaboration tools also come with unique security risks, like users inadvertently sharing malicious files. Last week yet another more insidious risk became public knowledge. One of the most popular and arguably the most shared image file types, .gif, is being weaponized to create a remote shell allowing attackers to sneak in through a backdoor. Considering that sharing of amusing gif images and “reaction” gifs have become embedded in our communication, this is no small concern.

Collaboration tools such as Teams and Slack keep workforces connected, helping companies overcome challenges with remote working and geographically diverse employees. According to Gartner, 80% of users utilized collaboration tools in 2021, an increase from approximately 50% in the previous years. These tools have helped ensure productivity through real-time communication and simple sharing of files. 

This blog explores this new risk and how it leverages collaboration software as well as how organizations can protect themselves. 

Unexpected Dangers in GIFs

It is easy for organizations to defend themselves against high-risk data by blocking it. Attackers are not only constrained to only apparent attack vectors and commonly look for less obvious ways. Embedding and hiding harmful code in file types that organizations generally consider safe is one way they can bypass filters and carry out their attacks. A researcher recently discovered this scenario with attackers corrupting a gif image, commonly considered a very safe file type, to gain shell access via Microsoft Teams.

Current Threats in Unexpected Places

To make the shell exploit happen, attackers need a standard gif image specially crafted to include commands that will execute on a user’s machine. This image is sent to the victim via Teams and is automatically stored on the device. At this point, a separate piece of malware sits waiting for the arrival of the tainted gif that it uses to launch the shell, dialing back to the attacker’s machine. This creates a persistent connection that the attacker can use as a staging point to attack deep within the organizational network. 

GIF Attacks Can Happen to Anyone

While this attack did leverage many Microsoft features and Teams specifically, it is not the fault of Teams itself or Microsoft. In this instance, the combination of exploits used leveraged those specific products. It would be naive to assume that other products and collaboration suites are immune to similar attacks and will not see them in the future. 

The only way to prevent such an attack is to ensure that all information shared using collaboration tools is safe. Collaboration tools do not have this built-in by default, so an external solution is needed to bridge the gap and provide the added control organizations need. 

Freedom to Collaborate is Necessary

Taking away collaboration tools will eliminate the risk of this type of exploit, but it will also significantly reduce organizational productivity. Without the ability to collaborate rapidly, companies lose the ability to innovate at the speed of business and will find it harder to stay competitive. The only way to safely do this is to remove the threats spread using collaborative tools. Using Content Disarm and Reconstruction (CDR) can help your organization defend itself, protecting against existing threats and those that have yet to be discovered. 

Protect Collaboration with Seamless CDR Integration

Maintaining a safe collaboration environment requires being able to safely share content without the fear of it being secretly malicious. When selecting a CDR solution to accomplish this, it is crucial to note that not all CDR products are made equally. Protecting your organization against threats over collaboration software requires a CDR that can integrate directly with your application. This is often done via an API connection, allowing seamless integration and always-on protection. 

With a seamlessly integrated CDR, your end-users never have to worry about their workflow being disrupted or delayed. Files and file components are automatically sanitized behind the scenes, leaving only safe content delivered to your users. 

Preparing For the Future

Protecting collaborative infrastructure also requires a CDR that does not make assumptions on whether files and file elements are safe because they do not match a dangerous pattern. CDRs that utilize antivirus or look to analyze before sanitizing are likely to miss threats or greatly slow down the sanitization process. With over 450,000 new malware samples discovered daily, no AV, or detection-based solution can keep its threat signatures current. This creates a significant gap in protection that attackers can exploit to damage your organization.

Instead, companies need a CDR that does not make any assumptions but assumes everything has the potential to be malicious. Using a Zero Trust approach, there is no gap in coverage. All files are completely deconstructed and rebuilt using only safe components, eliminating existing threats and those that may be discovered in the future. 

The Right Solution for Defending Collaboration Platforms…and GIFs!

Votiro’s CDR solution is the only one that meets every criteria for protecting organizations from malicious content. Using an API-based design, Votiro easily integrates into existing technologies, creating a seamless protection layer defending users, systems, applications, and storage environments. Votiro protects your organization from Zero-day attacks by using a Zero Trust methodology, assuming that all content is potentially hazardous, and sanitizing everything by default. 

Contact us today to learn more about how Votiro can help you protect your enterprise collaboration environment. 

background image

News you can use

Stay up-to-date on the latest industry news and get all the insights you need to navigate the cybersecurity world like a pro. It's as easy as using that form to the right. No catch. Just click, fill, subscribe, and sit back as the information comes to you.

Subscribe to our newsletter for real-time insights about the cybersecurity industry.