Security researchers at Black Hat USA 2025 have revealed a sophisticated new attack technique that exploits web conferencing platforms to establish covert command and control (C2) channels, potentially allowing cybercriminals to bypass traditional network security measures by masquerading malicious traffic as legitimate online meetings.
Adam Crosser, Staff Security Engineer at Praetorian, presented the research on Wednesday, demonstrating how red team operators can leverage real-time communication protocols to create high-bandwidth, interactive C2 sessions that appear indistinguishable from normal enterprise collaboration traffic.
The technique addresses a critical limitation in traditional covert channels, which often lack the bandwidth or real-time responsiveness required for advanced operations such as SOCKS proxying, layer two pivoting, and hidden VNC sessions.
TURNt Tool Exploits Media Server Infrastructure
The research introduces TURNt, an open-source tool that enables covert traffic routing through media servers hosted by major web conferencing providers.
These globally distributed media servers function as natural traffic relays, designed for low-latency communication that seamlessly blends with enterprise network patterns.
The technique exploits a common security practice where organizations whitelist conferencing provider IP addresses and exempt them from TLS inspection, significantly reducing detection risks.
TURNt allows operators to maintain persistent communication through traditional C2 channels while activating high-bandwidth interactive sessions for short periods, typically one to two hours, mimicking legitimate conferencing activity.
This dual-channel approach combines the stealth of long-term covert channels with the responsiveness needed for real-time operations, creating a formidable challenge for network defenders.
Enterprise Security Implications and Defense Strategies
The attack methodology poses significant risks to any enterprise utilizing collaboration suites, making it a cross-industry concern.
The research highlights how attackers can conduct advanced network pivoting and establish unauthorized remote access while appearing as routine business communications.
Traditional network monitoring tools may struggle to distinguish between legitimate conferencing traffic and malicious C2 communications.
Crosser’s presentation outlined both the trade-offs inherent in the technique and potential countermeasures defenders can implement.
The research emphasizes the need for organizations to reassess their conferencing security policies and develop specialized detection capabilities for this emerging threat vector.
As remote work continues to drive widespread adoption of web conferencing platforms, understanding and mitigating these vulnerabilities becomes increasingly critical for maintaining an enterprise’s security posture.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The technique addresses a critical limitation in traditional covert channels, which often lack the bandwidth or real-time responsiveness required.){kind=link}