Amidst the COVID-19 Pandemic web conferences and talks for some are the primary method of Internet communications for companies an private parties. And while ZOOM is a preferred choice for many, it has become infamous for having serious security issues. Fortunately, its developers are quick to address the vulnerabilities.
Due to the fact that a very large number of users are using it there have been many underground organizations that deal with stolen ZOOM credentials. All of this leads to many dangerous scenarios, many of which are being used by criminal groups. In this article we aim to showcase why the ZOOM issues that were discovered are actually a problem that persists in time.
The ZOOM Vulnerabilities – What Happened And Why They are Dangerous?
ZOOM is a powerful web conference service which is primarily used by big companies and various groups in order to conduct talks, presentations and group chats. As one of the top software in its category many of the security problems that were found over the years have a much larger impact than a temporary bug. And while the company was quick to fix the issues it appears that this has affected the victims in a much larger way that they might imagine.
One of the most important bugs which affect the software was detected back in December 2018 and tracked in the CVE-2018-15715 advisory. This was a weakness in the program which allowed remote hackers to hijack online sessions. This was done by spoofing the Internet traffic in order to gain control of the whole sessions.
The released proof-of-concept code shows how the criminals can take over control of the conferences using several different scenarios — some of them include the spying of users, intercepting sessions and also sessions of which the hackers are not part of the meetings.
Around the time when such high—impact security bugs were initially discovered came the so-called “Zoom Bonbing” phenomenon. This is a technique used by malicious actors used to intrude into an active ZOOM conference. The intention may be to post SPAM content, disrupt meetings or to divert attention onto another topic. Such “raids” are effectively being organized on various social networks and communities including Reddit, 4chan, Facebook, Twitter, Discord and others. This shows that many hackers, pranksters, spammers and related types of users have diverted their attention onto using ZOOM as a platform for criminal activity.
In April this year a security expert posted on Twitter that the Windows version of the ZOOM application is vulnerable to to a vulnerability that is categorized as a type of “UNC path injection”. This is a security bug allowing computer criminals to hijack credentials as part of the attack, in this case this is the operating system login password for the current user.
This kind of bug can be used to execute applications which are already present on the systems or to start commands on them. This can be used in various scenarios such as the following:
- Malware Infections — Through the running of specific commands by utilizing the vulnerabilities the hackers can implant various types of malware to the computers. This includes ransomware, Trojan, cryptocurrency miners and etc.
- System Changes — The remote commands can also edit out key settings of the operating system or installed software leading to performance issues and even sabotage.
- Files Theft and Trojan Operations — Advanced malware campaigns can be used to steal files or to install Trojan horse clients which are used to take over control of the machines.
What Happens To The Hijacked ZOOM Accounts
One of the main purposes of all malware campaigns initiated against ZOOM users is to steal user credentials: not only on the software, but also of other services, possibly extending this to banking services, email messages and others. The criminal groups may resort to the selling of the hijacked information on underground communities. The most appropriate places are the Dark Web marketplaces which are used to trade pirate software, drugs and stolen data among others goods. When this concerns stolen accounts this can have a much larger impact – often criminals will label if the victim users are from a company, government agency or another high-profile targets.
Some of the common uses of stolen ZOOM accounts include the following:
- Account Theft — When the ZOOM conferences are conducted by coany or government employees in many cases accounts to other services are shared. When the sessions are being spied upon such information may become available.
- Sensitive Data Theft — The criminals can hijack all data that can be deemed lucrative by the criminals.
- Identity Theft — The information hijacked about the users can be used in various identity related crimes and related financial abuse.
The ZOOM hacks which have been organized over the years have resulted in the successful theft of information from institutions and companies such as: University of Colorado, Dartmouth, Lafayette, Chase, Citibank and others. Hijacked accounts from them and other victim companies have subsequently been placed in large seller orders. A company has purchased about 530,00 of individual accounts from the victims for the price of $0.002 each. During the analysis it appears that some of the intrusions were made as part of older attacks.
When it comes to using online services some of the proactive security strategies now implement the usage of public database breach notifications such as the popular Have I been Pwned. ZOOM account users should also carefully monitor security news sites in order to stay alert if any issues are discovered. We always recommend that a professional-grade anti-malware utility is used.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: