Zoom

The WFH like culture VS. zero-day exploits in conference apps, what’s in it for us?

Zoom

After several severe cases of novel coronavirus aka COVID-19, most businesses have shifted their business model from on-site to virtual. 
 
It was a perfect time for businesses to implement and test their Business Continuity Plans (BCP) and we saw some well-known names who implemented their BCP with ease, while others are still struggling.
 
When businesses make a major shift towards a Work From Home (WFH) culture, a new ideology must kick in – “Zero trust networks”. This basically means that no devices and/or systems should be taken as a trusted source. However, we have seen cases where employees, students, kids, families and various high-profile government bodies started sharing the content that the internet did not necessarily need to know.
 
Most of us are currently using conference applications like Zoom to communicate and it seems people are very excited to show the world what they are either working, studying, playing or communicating on, from home. 
 

This now opens up as a new playground for hackers.

Boris Johnson exposing Zoom meeting ID

Picture: Boris Johnson exposing Zoom meeting ID.

 

You may think “what could go wrong?” when you share this type of information on the internet.

Let me walk you through…

 
The picture presented above easily provides us with information that Boris is using Zoom for his daily meetings. In this case, we can see the cabinet Zoom meeting ID on display. We also now know that Boris uses the Windows 10 operating system, Google Chrome and Outlook.
 
We see that Microsoft Office is also used and we can assume Boris uses Powerpoint frequently. 
 
So, when a hacker combines this information to map their attack surface, they will find exploits such as a CVE-2019-1462 (PowerPoint RCE) or a CVE-2020-0729,  which is a Remote Code Execution (RCE) against Windows that came out recently and exploits these applications. They now know exactly which applications to try to exploit. Boris has handed them all the information they need.
 
Additionally, if you notice the meeting attendees list on the right, there are more potential targets and in some cases, mobile phone numbers would also be joining the meeting, and so the attack surface expands even further. 
 
One of the recent Federal Bureau of Investigation (FBI)’s press release highlighted that various conferences were being disrupted by pornographic and/or hate images and threatening language.
 
Technically, any adversary that wants to exploit you or your business now has rich information to plan an attack or pull a prank.
 
The above is a classic example of posting images and videos on public media such as Twitter, Facebook, TikTok, LinkedIn or anywhere on the internet. Con-artists are always waiting for such opportunities to strike. A simple search with the term “Zoom”, on various social media platforms would give you a clear picture of what is being presented in this blog.
 
Furthermore, hackers are also targeting conferencing applications like Zoom specifically, as it’s an easy attack vector to exploit you or your business.
 
One of the recent case studies published by CheckPoint highlighted that con-artists and adversaries are registering fake Zoom domains and have been running phishing campaigns.
 
“The recent, staggering increase means that hackers have taken notice of the work-from-home paradigm shift that COVID-19 has forced, and they see it as an opportunity to deceive, lure, and exploit. Each time you get a Zoom link or document messaged or forwarded to you, I’d take an extra look to make sure it’s not a trap.” – A spokesman at Checkpoint.
 
What gets even more interesting is that there are various information security practitioners around the globe who are closely monitoring the Zoom platform as the usage of the application in recent days skyrocketed. It was not a matter of “if”, but turns out to be a matter of “when” Zoom will be compromised.
 
A security researcher (Patrick Wardle, a former NSA hacker) dropped two new zero-day exploits in his recent blog post which can be leveraged to gain remote code execution. This issue impacts the Zoom client for the latest MacOS client. His blogpost states, “The ‘S’ in Zoom, Stands for Security”, which is really ironic. Another exploit came out publicly on the 1st of April stating that the Windows client was also vulnerable where an attacker can exploit the Zoom client for windows using UNC path injection to expose credentials which can be used in SMBRelay attacks. It was also identified that the video conference app Zoom was illegally sharing personal data with Facebook, even if users did not have a Facebook account.
 
More often than not, we as businesses tend to see the big picture and paint a vision. But what really matters to an attacker is all the small details that we missed which enables them to build a bigger and wider attack surface.
 
In this blog, we have used Zoom as an example but they are definitely not the exception.
 
Now, the question is, after all the recent events, are we still going to make use of applications like Zoom? The truth is that all conference application users are at risk until the companies developing the applications fix some of these underlying issues and send out the patches as quickly as possible to ensure users are safe.
 

Until then we would recommend you do the following to reduce your exposure:

    1. Add a password to all your meetings.
    2. Use waiting rooms.
    3. Keep clients updated and look out for the latest patches.
    4. Do not share your meeting IDs.
    5. Disable participant screen sharing.
    6. Lock meetings when everyone has joined.
    7. Do not post pictures of your meeting details in public forums.
    8. Do not post public links to your meetings.
    9. Lookout for meeting-themed malware and do not install applications from untrusted sources.
    10. Consider using other secure alternatives.

 
So, stay safe, regard all networks as zero-trust and only post personal content to the internet when you absolutely have to.
 
After the recent issues with Zoom, including social media hype of the multiple 0days affecting their product, they have taken some serious approach immediately to safeguard their users and protect their privacy. Please refer to their latest public media release – https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/ 
– Nitesh Bhatta
 

Nitesh Bhatta

Nitesh Bhatta is an Infrastructure Penetration tester at Stickman with offensive attack simulation skill set and has expertise in Computer Networks Security and Information Security assessments. More articles by Nitesh Bhatta

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to Our Insights

This email address has already subscribed!