by Bharat Mistry
Cyber-criminals are always looking for new opportunities to make money and steal data. Globally trending events are a tried-and-tested way of doing just this, and they don’t come much bigger than the current Covid-19 pandemic. It’s sparking a wave of phishing, BEC, extortion, ransomware and data breach attempts. And as increasing numbers of global workers are sent home, new opportunities are opening up to compromise video conferencing apps.
Although not alone in being targeted, Zoom has been the subject of some of the highest-profile incidents so far this year. Fortunately, there are things you can do to keep your business safe.
Under the microscope
The video conferencing app is in many ways a victim of its own success. Security concerns have been raised about it in the past, after researchers revealed zero-day flaw in the Mac Zoom client which could have allowed hackers to spy on users via their webcams. Later the same year, separate research revealed an API-targeted enumeration attack affecting the platform. Neither of these are thought to have been exploited in the wild.
However, things have changed today: with much of the world using the platform to hold business meetings and personal video calls, scrutiny of its security posture has never been greater.
From bugs to bombing
There are several risks to be aware of. The first is of several new vulnerabilities discovered in the platform: one of which could allow hackers to steal Windows passwords, and another two which could enable attackers to remotely install malware on affected Macs and eavesdrop on meetings.
Most news coverage, however, is focused on “Zoombombing” — when uninvited users crash meetings. This often happens when large-scale semi-public events are held, and meeting IDs are shared on social media. If there’s no password for the meeting and attendees aren’t screened, then Zoombombers may turn up. Once in the ‘meeting’, crashers often post offensive comments, stream adult content or do other things to disrupt the event.
The same underlying techniques could be used by hackers to eavesdrop on or disrupt business meetings. It’s all about taking advantage of unsecure settings in the app, (and possibly using brute-force tools to crack meeting IDs).
With access to a meeting, hackers could harvest highly sensitive and/or market-critical corporate information, or even spread malware via a file transfer feature.
The final threat is from phishing attacks. Hackers know users are looking en masse for ways to communicate during government lockdowns. By creating legitimate-looking Zoom links and websites, they could steal financial details, spread malware or harvest Zoom ID numbers, allowing them to infiltrate virtual meetings. One vendor discovered 2,000 new domains had been registered in March alone, over two-thirds of the total for the year so far.
What you can do
The good news is that there are several things you can do to mitigate the security risks associated with Zoom.
The most basic are:
- Ensure Zoom is always on the latest software version
- Build awareness of Zoom phishing scams into user training programmes. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting
- Ensure all home workers have anti-malware including phishing detection installed from a reputable vendor
Next, it’s important to revisit those administrative settings in the app, to reduce the opportunities for hackers and Zoombombers.
The most important revolve around the Zoom Personal Meeting ID (a 9-11 digit number every user has). If a hacker gets hold of this, and the meeting is not password protected, they could access it. A leaked email or simple brute-force/guessing techniques could enable a hacker to compromise the ID and associated URL. For reoccurring meetings, the threat persists.
Fortunately, automatically generated passwords are now switched on by default, and the use of personal meeting IDs are switched off, meaning Zoom will create a random, one-off ID for each meeting.
These setting should be kept as is. But organisations can do more, including:
- Ensure you also generate a meeting ID automatically for recurring meetings
- Set screen-sharing to “host only” to prevent uninvited guests from sharing disruptive content
- Don’t share any meeting IDs online
- Disable “file transfers” to mitigate risk of malware
- Make sure that only authenticated users can join meetings
- Lock the meeting once it’s started to prevent anyone new joining
- Use waiting room feature, so the host can only allow attendees from a pre-assigned register
- Play a sound when someone enters or leaves the room
- Allow host to put attendees on hold, temporarily removing them from a meeting if necessary