Stolen Zoom Credentials: Hackers Sell Cheap AccessMeanwhile, Zoom Continues Security Overhaul With Bug-Bounty Reboot, Geo-Fencing
One measure of the popularity of the Zoom teleconferencing software: Cybercrime forums are listing an increasing number of stolen or cracked accounts for sale.
Using these credentials, miscreants could "Zoom bomb" calls by showing up uninvited, potentially record and leak the contents of calls, as well as push malicious files to meeting participants.
From a defensive standpoint, security experts say the solution involves some simple steps: Zoom meeting organizers should require strong passwords and carefully review all attendees' identity. "Don’t share meeting information on public platforms," Tokyo-based security firm Trend Micro notes in a guide to locking down Zoom and other video conferencing platforms.
It's no surprise that pranksters, criminals - and likely spies - are taking a much closer look at Zoom because COVID-19 has driven so many individuals to mostly stay at home. "With journalists, teachers, personal trainers, yoga classes, families, businesses and even places of worship 'going virtual' to keep people in contact even though physical meetups are no longer allowed, Zoom bandwidth usage has expanded enormously," Paul Ducklin, a researcher at security firm Sophos, says in a blog post.
Concerns over the security of Zoom have led some to attempt to sidestep security challenges by picking other options. The New York City school districts, the government of Taiwan and Standard Chartered Bank have all banned Zoom outright.
But the attention being paid by hackers to Zoom likely extends to Microsoft Teams and Skype, which also have seen a surge in use, as have Cisco's WebEx and LogMeIn's GoToMeeting, among other services, security experts say.
Zoom Credentials, Sometimes Valid, Come Cheap
Stolen email address and password combinations for accessing Zoom accounts have been distributed via cybercrime forums for free or for a very low cost, says Singapore-based cybersecurity intelligence firm Cyble. The company tells Bleeping Computer that it was able to purchase about 530,000 credentials for Zoom accounts for an average of just $0.0020 each. Purchased account information included a victim's email address, password, personal meeting URL, and HostKey - a 6-digit PIN used to gain access to the host controls in a meeting, the publication reports. It contacted a random sampling of the email addresses and found that they were valid, although respondents said some of the passwords being sold were old ones.
Baltimore-based cybersecurity firm ZeroFOX reports that on a single cybercrime forum, it saw more than 4,000 cracked Zoom accounts for sale; it also found 3,600 such accounts circulating for free across dark web forums. For accounts being offered for free, the majority had emails that traced to the higher-education sector, followed by telecommunications and financial services.
In an attempt to avoid police scrutiny, many dark web forums have now banned distributing or advertising stolen Zoom credentials, ZoneFOX reports.
"As hacking forums have restricted discussion of Zoom, chatter has shifted onto Discord channels," it says, referring to the free communications app. "Many of these channel links are shared on social media platforms to improve visibility." Since April 6, the firm says it's seen more than 15,000 posts to social media outlets that link to Discord chats devoted to Zoom bombing.
This isn't the first time that internet-connected devices and services have been abused by third parties.
"A similar string of attacks occurred against Amazon Ring security cameras in December 2019," ZeroFox says (see: Amazon's Ring Mandates Two-Factor Authentication). "Lax Ring security protocols allowed hackers to compromise devices and interact with users, often harassing them. Because of the publicity of these attacks, moderators of the hacking forums used to organize these Ring hacks banned the discussion of the devices, in an attempt to fly under law enforcement’s radar."
It's unclear how many of the Zoom credentials being sold were harvested via credential-stuffing attacks, which refers to attackers obtaining email/password pairs from one site, and trying them on a range of other sites to see where they also work. This remains a widely used attack tactic because it's so effective, thanks to so many people continuing to reuse the same password across different services.
The solution: "Don’t reuse passwords," Ducklin says. "Anyone who’s reused an old password lately has kind of 'pre-hacked' themselves," given the ease with which hackers can run credential-stuffing attacks. Instead, users should ensure they use a different password for every different site or service they use, ideally generated and stored via a password manager to keep track of them all (see: How Can Credential Stuffing Be Thwarted?).
Fake Zoom Domains Spread Malware
Beyond credential stuffing attacks, many other Zoom-themed attacks also are old school.
By the end of March, for example, more than 1,700 new domains with a Zoom theme had been registered, Check Point has reported. The goal of such domains can be to try to trick individuals into falling for phishing attacks and sharing personal information, or running a malicious downloader disguised as legitimate Zoom software (see: Coronavirus Fears Lead to New Wave of Phishing, Malware).
"However, Zoom is not the only application targeted by cybercriminals," Check Point reports. "New phishing websites have been spotted for every leading communication application, including the official classroom.google.com website, which was impersonated by googloclassroom[.]com and googieclassroom[.]com." (Brackets added to prevent readers from going directly to the malicious sites.)
Zoom Overhauls Security Program
As the use of Zoom has surged, the San Jose, California-based company has promised to do better. For starters, CEO Eric S. Yuan recently announced that the company is suspending rolling out new versions for 90 days to focus instead on improving the security of its existing product, such as through geo-fencing (see: Zoom Promises Geo-Fencing, Encryption Overhaul for Meetings).
In the past week, Yuan says the company has removed meeting IDs from the title bar - so screenshots will not reveal the. It also now requires passwords not only by default for joining a meeting, but also for recording it. Admins can also set password complexity minimums for users (see: The Cybersecurity Follies: Zoom Edition).
On Monday, Zoom CTO Brendan Ittelson announced that starting this Saturday, all paid customers can also opt into or out of having their communications routed through different data center regions. "You will not be able to change or opt out of your default region, which will be locked. The default region is the region where a customer’s account is provisioned. For the majority of our customers, this is the United States," he said.
Zoom says it has grouped its data centers into eight regions: U.S., Canada, Europe, India, Australia, China, Latin America and Japan/Hong Kong. Free users will be locked to the default region for where they provisioned their service. Zoom says no one outside of China will ever get that country as a default.
Zoom has also earned plaudits from many in the information security field by hiring two experts to advise it.
Tthe company has tapped Alex Stamos, the former CSO of Facebook and the director of Stanford’s Internet Observatory, to serve as an adviser working on improving the security of its platform as well as better use encryption (see: Zoom Still Addressing Security, Privacy Concerns). “There’s never been a company that has had to scale this quickly, and supporting hundreds of millions of people is a fascinating technical challenge," Stamos say.
Real change is putting effort into investing properly in security and privacy, not just with words, not just by bringing in big names in security, or jacking up bug bounty prices in a frenzy to create the appearance of diligence.https://t.co/DHl1ubnpvI— Katie Moussouris (@k8em0) April 16, 2020
In addition, Zoom has tapped bug bounty guru Katie Moussouris, who launched both Microsoft and the Pentagon's bug bounty programs, to reboot its own bug bounty program. Moussouris, who heads Luta Security, "will be assessing Zoom’s program holistically with a 90-day 'get well' plan, which will cover all internal vulnerability handling processes," the company says.
This week, Zoom also announced that it's also getting additional help from cybersecurity consultancies NCC Group, Trail of Bits, Bishop Fox and Praetorian Security, as well as threat intelligence services from CrowdStrike and Queen Associates' DarkTower. To bolster its encryption capabilities over the longer term, Zoom this week also brought in as consultants Lea Kissner, who formerly headed privacy technology for Google, as well as Matthew Green, a renowned cryptographer and Johns Hopkins University professor who's previously published deep dives into Zoom's encryption.
"Many people are doing the best they can during a very hard time. This includes Zoom’s engineers, who are dealing with an unprecedented surge of users, and somehow managing to keep their service from falling over," Green wrote in an April 3 blog post. "They deserve a lot of credit for this. It seems almost unfair to criticize the company over some hypothetical security concerns right now. But at the end of the day, this stuff is important."