17 April 2020

CYBER CRIMINALS SELLING VIDEO-TELECONFERENCING CREDENTIALS ON THE DARK WEB — INCLUDING 2,300 USERNAMES AND PASSWORDS FROM ZOOM VIDEO; CAMERA AND MICROPHONE/EAVESDROPPING IS OCCURRING — CHINA MAY COMBINE INFO WITH PURLOINED OPM BREACH MATERIAL


Last week, I wrote an article posted to this blog about the vulnerabilities of video teleconferencing darling — Zoom Video. Robert Lemos posted an April 13, 2020 article to the cyber security and technology blog — DarkReading.com — noting that cyber criminals are taking advantage in the explosion in the use of video teleconferencing and are having a field day. Mr. Lemos writes that “in one case, a cyber criminal posted a data base on the Dark Web, containing more than 2,300 usernames and passwords from Zoom Video,” accroding to the firm, InSights. InSights warned “the credentials could be used for denial-of-service (DoS) attacks, and pranks such as Zoom ‘bombing,’ as well as potentially for eavesdropping (microphone and camera) and social engineering,” said Etay Maor, Chief Security Officer for the global threat intelligence firm, Insights.

“If the attacker can identify the person whose account he has taken over — and that doesn’t take much time, just use Google and LinkedIn — then the attacker can potentially impersonate that person, and set up meetings with other company employees,” Maor warns. “This can be used for business email compromise (BEC) type of attacks, where the attacker can impersonate someone in the company, and ask to move money. It can also lead to asking people to share files and credentials over Zoom chat.”


“In a second incident,” Mr. Menos writes, “a cyber criminal posted more than 350 Zoom account credentials to an online forum, with several belonging to educational institutions and small businesses, and at least one healthcare firm.” “The intent of the publication was to allow pranksters and vandals to disrupt video teleconferencing calls,” according to the security intelligence firm, Sixgill.

“Last October, vulnerability researchers discovered a software bug in both Zoom and Cisco’s WebEx applications for video teleconferences that could allow attackers to scan for unprotected conference calls, and join them — if the meeting was not password protected,” Mr. Menos wrote. “Using a type of attack called enumeration, an automated bot could cycle through potential meeting IDs, and find other unprotected video teleconference calls. While both Zoom and Cisco patched the issue,” other vulnerabilities remain.

The publication, Motherboard reported last week that “one hacker, interviewed by Motherboard, claimed to have traded exploits/flaws found in Zoom on the black market for between $5000-$30,000 — a relatively low sum compared to other [similar] bugs that compromise web browsers like Chrome, or operating systems like iOS or Android.”

The rapid shift to remote working is significantly expanding the attack space for hackers; and not suprisingly, they are taking advantage of this target-rich environment. A whole new genre of artificially-enhanced malware is empowering even novice hackers to masquerade as a legitimate employee or senior company official in what appears to be a legitimate email. With everyone working from home — there are no quick trips down the hall to verify that the email was indeed sent by a colleague or boss. AI-enhanced malware which is easily obtainable on the Dark Web, is greatly aiding a malicious hacker to practice the art of denial and deception, with malware that hides when it senses it is under surveillance, as well as malware that changes its character and signature patterns.

I am not singling out Zoom, but the idea that they have strong enough cyber security protocols and procedures just doesn’t past muster. As noted cyber security guru Bruce Schneier wrote on his blog: SchneierOnSecurity, “Zoom’s security is at best sloppy; and malicious at worst.” In an April 3, 2020 blog post, “Security And Privacy Implications Of Zoom,” Mr. Schneier noted, according to the Motherboard report: “Zoom’s iPhone app was sending user data to Facebook, even if the user didn’t have a Facebook account. Zoom subsequently removed the feature; but, it’s response should worry you about its sloppy coding practices in general. This wasn’t the first time Zoom was sloppy with security,” Mr. Schneier warns. “Last year, a researcher discovered that a vulnerability in the Mac Zoom client, allowed any malicious website to enable the [victim’s] digital camera without permission.” Then earlier this year, it was discovered that Zoom for Windows can be used to steal a users Windows credentials, Mr, Schneier added.

And perhaps even more worrisome, “Zoom’s encryption is awful,” Mr. Schneier warns. “First, the company claims to provide end-to-end encryption; but, it doesn’t. It only provides link encryption, which means everythng is unencrypted on the company’s servers.” When confronted about the issue, a Zoom spokesperson wrote: “Currently, it’s not possible to offer/enable end-to-end (E2E) encryption for Zoom video meetings.” And the type of encryption software that the company utilizes is weak and leaves a lot to be desired. “Zoom documentation claims that the app uses “AES 256” encryption where possible. But as Mr. Schneier notes, “we found that in each Zoom meeting, a single AES 128 key is used in the ECB mode by all participants to encrypt and decrypt audio and video. The use of the ECB is not recommended, because patterns in the plaintext are preserved during encryption. The AES 128 keys, which Citizen Lab verified, are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting — through servers in China — even when all meeting participants, and the Zoom’s subscriber’s company is outside of China.” 

Mr. Schneier wrote: “I am okay with AES 128, but using ECB (electronic codebook) mode indicates that there is no one at the company that knows anything about cryptography. And, that China connection is worrisome.” You bet it is. There is little doubt that China has slipped some backfdoors into the Zoon network or its linkages.

If you put the enormous OPM breach of a few years ago — which exposed the personal information of millions of Federal employee’s — especially those who held Top Secret clearances — then Zoom becomes even more worrisome, My personal doctor’s office called yesterday to set up a Zoom appointment with me to go over any medications or medical issues I needed to discuss not COVID-19 related, and suggested we coduct this conversation via Zoom — and, that I needed to download the app in advance. I declined and opted instead for a phone call. The point is, if China already has the personal information on Federal employee’s who hold Top Secret clearances — they can use technology like Zoom to gather additional, personal medical information that could be embarrassing or place the individual in a compromising position. RCP, fortunascorner.com

No comments: