Remote work is hard enough.
We’re already stressed about being stuck at home, worrying about the COVID-19 virus, and trying to make sure our pajamas don’t show up on the webcam during a conference call.
Now, hackers are making it even harder by increasing their attacks on remote workers.
Many conference calls and classrooms use Zoom’s online video conference platform.
Unfortunately, some calls suffer from “Zoom Bombing” when malicious actors hijack sessions.
The FBI recommends that users take the following measures to prevent Zoom Bombing:
- Do not share Zoom conference links on Social Media
- Manage screen-sharing options to “Host Only”
- Do not make meetings or classrooms public
- Ensure users update their local Zoom software
Security companies have added additional recommendations:
- Use the control panel to enable H.323 and SIP encryption for audio
- Use the password option on all Zoom meetings
- Make sure the conferences are being hosted on legitimate Zoom websites
The last recommendation above is required due to the increase in attackers trying to take advantage of Zoom’s popularity.
Both legitimate and malicious actors have registered over 1,700 new Zoom domains since the beginning of 2020. While only 4% contain suspicious characteristics so far, users still must watch out for copycat domains.
And, Zoom is not the only target.
The phishing websites “googloclassroom” and “googieclassroom” target students and teachers trying to reach classroom.google.com.
All users must step up their vigilance by double-checking URLs. And, IT managers may want to consider a cloud-based DNS security as a safety net.
Of course, bad domains are not the only issue.
Researchers detected versions of the malicious “InstallCore,” a malware installer, masquerading as a legitimate video conferencing software installer by using ‘zoom’ or ‘microsoft-teams’ within the file name.
A phishing attack using these files tricks the user into loading a host of malicious files that render the endpoint vulnerable to future attacks.
More Zoom Issues
Not all Zoom problems stem from attackers.
Many users fail to take basic steps to protect their meetings.
Hackers using the zWarDial software to guess meeting IDs found 2,400 upcoming or recurring Zoom meetings in one day. Their exploration pulled up information such as the date, time, name and basic agenda for the meetings.
Only sessions using a password were unable to be detected by the zWarDial tool.
Meanwhile, it seems that major banks, government contractors, consulting firms and many others continue to host meetings open to public interference.
Zoom claims that passwords have been enabled by default since last year, but many users and admins opt out. It’s also possible that some users continue to use out-of-date Zoom software without the default password setting, which makes the software vulnerable to several critical legacy vulnerabilities.
With the number of users growing from 10 million in December to 200 million in March, Zoom can expect to suffer some growing pains. However, their privacy and encryption issues predate their surge in popularity.
Concerned researchers found several significant issues of concern:
- Zoom iPhone app leaked information to Facebook (even if you didn’t have Facebook)
- Mac Zoom client enabled access to endpoint webcams for other software without requiring permissions
- Attackers could use Zoom to steal Windows credentials without warning
- Users could access other conference attendee’s LinkedIn profiles during meetings
- Zoom’s end-to-end encryption is only transport encryption. Their server data is unencrypted.
- Zoom’s documented AES-256 encryption “where possible” typically is a weaker AES-128 encryption.
- Some Zoom meetings are hosted on servers in China – even when no company subscriber or attendees of the meeting are located there.
While some of these vulnerabilities have been patched, it is up to our security teams to ensure 1) our endpoint users are using fully-patched software and 2) if our conference call is safe to be hosted, unencrypted, on servers in China.
For those who think the issue is limited strictly to Zoom, keep in mind that the company white-labeled their technology to Accession Meeting, AT&T Video Meetings, BizConf, BT Cloud Phone Meetings, EarthLink Meeting Room, Huihui, Office Suite HD Meeting, RingCentral, Telus Meetings, UMeeting, Video Conferencia Telmex, Zoom CN, and Zhumu.
For those looking for alternatives to Zoom, we recommend exploring TechRadar’s article on the top audio and video conferencing platforms.
Zoom remains #3 on their list for ease of use, but there are many other recommendations to explore.
Routers Under Attack
Even if we secure our conferencing platform, attackers will seek any weakness in the communication chain.
Researchers detected a cybercriminal group scanning the internet for vulnerable Linksys routers.
Using a brute-force attack, the groups compromises systems using weak or default credentials. Next, the group hijacks the DNS functions and redirects users to the cybercriminal’s website to download information stealing software.
Despite concentrating on the Linksys routers at this time, this exploit should be a reminder for our security teams to double-check our own routers.
More importantly, we may need to prepare instructions for remote workers to check their home routers.
While usually beyond the scope for the corporate IT department, many organizations cannot afford to have their security undermined by porous home-user security.
Many IT departments struggle to keep up with patching, but 48% manage to update on-premises desktops and laptops in the first three days.
However, that number declines to 42% for remote desktops and laptops – and many workers have started working remotely.
Some users use alternative machines and leave corporate laptops turned off for extended periods of time. Naturally, the automated application of patching can’t happen on a machine that is turned off.
At the other extreme, some users never turn off their machines and cause the IT department to issue warnings or even remotely force a reboot to install critical patches.
Of course, this is only for the organizations with the ability to update patching remotely. For IT departments without automated patching software, the burden of tracking patches and machines for remote workers becomes more complicated and difficult to execute.
Ninety-two percent of IT professionals worry about the security of company-owned devices being used in home networks. Their worries intensify when the employees use personal devices to connect to the company networks from home.
Let Blue Bastion and Ideal Integrations shoulder some of the burden for your IT team.
Our managed IT services and managed security services can supplement an organization’s internal resources so they can catch up with the surge of issues created by the sudden shift to remote workers.
Complete the form below to get started!