New Zoom Vulnerability Lets Hackers Record Any Meeting Anonymously; New Critical Malware Vulnerability Puts Millions Of Zoom Users At Risk
The title above comes from an April 23, 2020 article by Waqas, posted to the cyber security and technology blog/website, HackRead.com. Readers of this blog know that I have been writing in the past two weeks about cyber security vulnerabilities at the popular video teleconferencing giant – Zoom Video. Because of the stay-at-home restrictions due to the coronavirus pandemic, it is hardly suprising that the video teleconferencing boom has exploded. And, it is also isn’t suprising that cyber thieves are attempting to cash in on this emerging domain — and, Zoom Video, which has had weak encryption, has been under attack.
As Waqas notes, “millions of Zoom login credentials are being sold on the dark web; and now, “a [new] Zoom vulnerability” has come to light putting millions of Zoom users at risk of personal compromise. Waqas notes that “recently, IT users at Morphiec have discovered a critical malware vulnerability, which if exploited, can allow attackers to record live Zoom meetings and audio conversations.”
“What’s worse,” Waqas notes, “is that by using the vulnerability, attackers can carry out recordings — even if the host disables recording functionality for the meeting/participants — all that without the hosts knowledge, or permission.”
In a blog post yesterday, Morphisec’s researcher Daniel Petrillo, wrote that: “The trigger (evading detection) is that a malware that injects its code into a Zoom process without any interaction of the user; and, even if the host did not enable the participant to record. When recording in this way, none of the participants are notified that the session is being recorded while the malware fully controls the output.”
“The vulnerability [malware] cannot only open doors for malware attacks, but hackers can also use the opportunity to launch large-scale espionage campaigns against businesses, steal [login] credentials, and more,” Waqas wrote. “Furthermore, since millions of Zoom accounts are already being sold on the dark web, all attackers would need to do is sign in and launch the attack.”
Morphisec has informed Zoom about the vulnerability and their analysis. It is unclear if this vulnerability has been patched yet Waqas said and HackRead recommended Zoom users to take these five steps: 1) Enforce complex Zoom meeting passwords by default for all passwords; 2) Credential stuffing is a known issue in the industry and the Zoom application is one of the hackers targets; 3) Users (and average consumers) are advised not to re-use their passwords on other apps and websites and monitor for potential data breaches via services such as HaveIbennPwned, and AmIbreached.com; 4) Implement multi-factor authentication where possible; and, 5) Organizations are encouraged to consider a data breach monitoring solution to reduce their exposure window and mitigate the risks.
It is apparant that Zoom got out ahead of its skies. They built their video-teleconferencing platform based on ease of use and free-flow of communication; but. cyber security got the short stick. Last week, the HackerNews reported that over 530,000 Zoom video credentials were up for sale on the dark web. The cyber security firm Cyble said the purloined Zoom video accounts included email addresses, passwords, links of personal meetings, and host keys, which are used to claim/verify one’s position and reason for being connected to the teleconference.
As noted cyber security guru Bruce Schneier wrote on his blog: SchneierOnSecurity, “Zoom’s security is at best sloppy; and malicious at worst.” In an April 3, 2020 blog post, “Security And Privacy Implications Of Zoom,” Mr. Schneier noted, according to the Motherboard report: “Zoom’s iPhone app was sending user data to Facebook, even if the user didn’t have a Facebook account. Zoom subsequently removed the feature; but, it’s response should worry you about its sloppy coding practices in general. This wasn’t the first time Zoom was sloppy with security,” Mr. Schneier warns. “Last year, a researcher discovered that a vulnerability in the Mac Zoom client, allowed any malicious website to enable the [victim’s] digital camera without permission.” Then earlier this year, it was discovered that Zoom for Windows can be used to steal a users Windows credentials, Mr, Schneier added.
And perhaps even more worrisome, “Zoom’s encryption is awful,” Mr. Schneier warns. “First, the company claims to provide end-to-end encryption; but, it doesn’t. It only provides link encryption, which means everythng is unencrypted on the company’s servers.” When confronted about the issue, a Zoom spokesperson wrote: “Currently, it’s not possible to offer/enable end-to-end (E2E) encryption for Zoom video meetings.” And the type of encryption software that the company utilizes is weak and leaves a lot to be desired. “Zoom documentation claims that the app uses “AES 256” encryption where possible. But as Mr. Schneier notes, “we found that in each Zoom meeting, a single AES 128 key is used in the ECB mode by all participants to encrypt and decrypt audio and video. The use of the ECB is not recommended, because patterns in the plaintext are preserved during encryption. The AES 128 keys, which Citizen Lab verified, are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting — through servers in China — even when all meeting participants, and the Zoom’s subscriber’s company is outside of China.”
Mr. Schneier wrote: “I am okay with AES 128, but using ECB (electronic codebook) mode indicates that there is no one at the company that knows anything about cryptography. And, that China connection is worrisome.” You bet it is. There is little doubt that China has slipped some backfdoors into the Zoon network or its linkages.
If you put the enormous OPM breach of a few years ago — which exposed the personal information of millions of Federal employee’s — especially those who held Top Secret clearances — then Zoom becomes even more worrisome, My personal doctor’s office called yesterday to set up a Zoom appointment with me to go over any medications or medical issues I needed to discuss not COVID-19 related, and suggested we coduct this conversation via Zoom — and, that I needed to download the app in advance. I declined and opted instead for a phone call. The point is, if China already has the personal information on Federal employee’s who hold Top Secret clearances — they can use technology like Zoom to gather additional, personal medical information that could be embarrassing or place the individual in a compromising position.
I am sure Zoom is furiously addressing these vulnerabilities, and hopefully/especially their China connection. They better, because you can bet China is scooping up all this information and will no doubt use big data minning to focus their espionage and corporate theft efforts — not to mention implanting digital backdoors. This is equivalent of leaving one’s keys in the ignition and inviting China to take the car. RCP, fortunascorner.com