Dark Web Intelligence Firm Reports New Attacks Against Zoom Users

Posted in: Resources » Cyber Heads-up

Overview

Staying with the recent theme of attacks on the work from home model, we’re back with another warning about Zoom. It’s not that we have anything against Zoom, but the platform rapidly became part of the cultural lexicon over the last couple of months due to the COVID-19 pandemic. With the move to work-from-home, new forms of social events like Zoom happy hours, Zoom dating, and even Saturday Night Live performed via (you guessed it) Zoom. Heck, Assura’s CTO even attended a Zoom bris a couple of weeks ago (true story – and it was done very tastefully and with all participants going to extraordinary measures for safety).

Nevertheless, Zoom has also been in the headlines a lot recently due to various vulnerabilities surfacing as it falls under the microscope of security researchers and cybercriminals, the latter of whom are wringing their hands with excitement (we’ll get to that). To Zoom’s credit, the company has been addressing the issues that pop up as quickly as possible and are working diligently to provide remote meeting services to everyone who needs them. Though some security issues, like “mistakenly” routing call streams through China, put organizations in a difficult position due to the data privacy implications and resultant potential legal exposure – especially for those organizations in regulated industries like healthcare, banking, and government.

Now Zoom users are faced with another threat, though this time not of Zoom’s making.

Dark web intelligence firm (and Assura technology partner) IntSights has a new report about attackers using “credential stuffing” attacks against Zoom. Credential stuffing attacks are nothing new. Attackers gather large databases of breached user accounts from deep web and dark web sources. The user accounts are from breaches of web sites all over the world, some of which may have made headlines, but most of which have not. The attackers then use those credentials to see where they can log in. The attacker will track the success or failure of the login attempt and re-bundle the databases for sale based on the websites that the credentials successfully log into. Because of the increased popularity of Zoom, it has become a big target for credential stuffing attacks.

You can obtain the full IntSights report here: https://intsights.com/blog/recycling-credentials-in-four-easy-steps

Assura’s Take

While credential stuffing is a serious threat there are some things that users and organizations can do to help thwart attacks:

  • By utilizing different passwords across accounts, users can limit the impact of a single set of credentials being compromised so, make sure your Zoom password is unique from all your other accounts;
  • Users can monitor their accounts with email alerts from https://haveibeenpwned.com. When a user is notified that their account has been compromised, the best practice is to change the password on that breached site;
  • Utilizing a Multi-Factor Authentication solution across all services that support it ensures that even if an attacker obtains credentials, they can’t log in without that Multi-Factor token; and
  • Businesses subscribers to Zoom can utilize its Single Sign-On (SSO) capability in conjunction with a Multi-Factor authentication, which can then be monitored and controlled by the organization’s security team.

Using a Multi-Factor Authentication (MFA) solution is key to preventing the success of any credential related attack against your organization. However, as we’ve discussed in previous Cyber Heads-ups, not all MFA solutions are created equal. The most secure MFA solutions on the market right now are those that utilize protocols that can’t be intercepted and replayed such as WebAuthn, also referred to as FIDO2.

If you’re an Assura Managed Multi-Factor Authentication client and have SSO enabled with Zoom, then you’ve taken affirmative measures to protect yourself from this attack. If you haven’t implemented this control and you’re an existing Assura customer, contact your Virtual ISO or Assura POC for further guidance. If you’re not an Assura customer and would like our guidance about this, feel free to contact us using the information below.

Stay safe, stay healthy, and as always feel free to submit any questions you may have about this or any other cybersecurity matter through our website or to [email protected].

Sincerely,

The Assura Team