Zoom Meeting-Related Attacks
I. Targeted Industries
- Higher Education
- K-12 Education
- Financial Services
- Independent Companies
With educational institutions and businesses across the nation forced to migrate to remote learning and remote work due to COVID-19, video conferencing platforms have experienced a surge in popularity. Many are currently utilizing the Zoom audio conferencing system, prompting threat actors to exploit many of its privacy and security vulnerabilities including obtaining credentials, remote access intrusion, and Zoom-bombing. Zoom-bombing, the most prominent, allows threat actors to gain unauthorized access to live meetings and or chat sessions. Once in the meeting, unauthorized personnel will share offensive and threatening content, disrupting the sessions.
III. Background Information
Zoom has become an essential resource for communication and has grown to have over 74,000 customers and 13 million active users(1). Since the pandemic started, nearly 1,700 Zoom domains have been registered. Of those registered domains, 25% of them were registered between March 24 and March 31.(2) These domains and emails are used by attackers to conduct phishing attacks on Zoom users, disguising malicious files as installation packages for the platform.(3)
One vulnerability in use by attackers is the use of the chat option to send a string that would give them credentials to the Windows machine.(4) If the user clicks on it, Zoom will send the Windows username and the passwords in NTLM hashes to the address found in the link, leaving these networks open to pass-the-hash attacks.(5)
On April 1, 2020, Threat-Post researchers discovered two zero-day vulnerabilities in Zoom that affect Mac devices.6 The first flaw gives an attacker root access to the system by modifying a binary executable file to include the “runwithroot” script during a malware installation.7 The second flaw allows code to be injected by third-parties to take control of the camera and microphone.8 Zoom has a “company directory” library that adds people to a user’s contact list if they share the same email address domain, allowing hackers to access personal information.9 If an individual uses their personal email, they can be grouped with random individuals and their personal names, emails, images, and other information is leaked to unknown individuals.10 The lack of default security implementations allows unauthorized users to gain access to meetings and exploit these vulnerabilities to access private information.
- Disable the “Join Before Host” option.
- Assign a co-host to help monitor a Zoom meeting.
- Disable File Sharing on Zoom to avoid the transfer of Trojan/Viruses.
- Disable the “Allow Removed Participants to Rejoin”.
- Never share Zoom meeting links over social media or any public threads; only share directly with meeting attendees.
- Change screen sharing options to Host-only.
- Ensure your Zoom client is up to date.
- Use strong passwords- at least 12 characters or more including symbols and numbers to increase the difficulty.
- Zoom does not support encrypted end-to-end communication. Consider using an alternate webchat service to secure communication.
- Make sure all meetings are made private; Zoom has the option to only allow entry to the meeting using a password. Recommended link: https://support.zoom.us/hc/en-us/articles/360033331271-Account-Setting-Update-Password-Default-for-Meeting-and-Webinar
- Zoom Awareness Training
Educate users on best practices for utilization of Zoom, including end user responsibilities for meetings as outlined above.
- Phishing Awareness Training
Users should be educated about new kinds of phishing scams as well as those used in the past. Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Safe Browsing Techniques
Users should be educated on safe browsing techniques to identify malicious content.
Recommended link: https://www.us-cert.gov/ncas/tips/ST07-001
V. Indicators of Compromise (IOCs)
Indicators of Compromise include:
- Domains or Emails that contain the word “zoom”. The only legitimate Zoom related domain is https://zoom.us.
- Domains or Emails that contain the word “corona”.
- Any files with the name with the following format: “zoom-us-zoom_##########.exe” and “Microsoft-teams_V#mu#D_##########.exe”
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) Cisomag. “COVID-19 Hackers Exploit Chat Platform Zoom to Spread Malware.” CISO MAG | Cyber Security Magazine, March 31, 2020. https://www.cisomag.com/cybercriminals-target-zoom-domains-to-distribute-malware/
(2) “COVID-19 Impact: Cyber Criminals Target Zoom Domains.” Check Point Software, March 27, 2020. https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/.
(3) Cox, Joseph. “Zoom Is Leaking Peoples’ Email Addresses and Photos to Strangers.” Vice, April 1, 2020. https://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos.
(4) Goodin, Dan. “Attackers Can Use Zoom to Steal Users’ Windows Credentials with No Warning.” Ars Technica, April 1, 2020. https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/.
(5) Kirk, Jeremy, and Ron Ross. “Zoom Contacts Feature Leaks Email Addresses, Photos.” Data Breach Today. Accessed April 2, 2020. https://www.databreachtoday.com/zoom-contacts-feature-leaks-email-addresses-photos-a-14039.
(6) “New Zoom Hack Lets Hackers Compromise Windows and Its Login Password.” The Hacker News, April 2, 2020. https://thehackernews.com/2020/04/zoom-windows-password.html.
(7) O’Donnell, Lindsey, and Lindsey O’Donnell. “Two Zoom Zero-Day Flaws Uncovered.” Threatpost English Global threatpost.com, April 1, 2020. https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/.