Video-Teleconference Hijacking and Phishing Attacks Defense -

TLP:WHITE

Event:

Guidance on Defending Against Video-Teleconference Hijacking and Phishing Attacks

Summary:

On March 27, 2020, Health-ISAC released the threat bulletin “Zoom Bombing and Other Threats Affects Unsecured Web Meetings.” Since then, multiple reports have surfaced that Video-teleconferencing (VTC) platforms continue to be targeted by malicious actors attempting to disrupt online meetings.

As more people work remotely and further rely on the Internet to facilitate remote meetings and online learning, video conferencing services have become a prominent target for online attacks. A surge of attacks, including Zoom Bombing, Malicious Zoom Domain Registrations, and Zoom Room Spoofing occur when bad actors invade video calls to compromise user trust for humor, logistical disruption, fraud, and/or credential harvesting. The behavior has affected numerous institutions and organizations across the globe.

Video Teleconferencing Attacks:

zWarDial Tool

The zWarDial tool automates enumeration of non-password protected Zoom meetings and can test on average 110 meetings per hour with a success rate of close to 14%. Zoom has been scrutinized for the flaws discovered in the platform and the scanning tool zWarDial is no exception. The tool evades Zoom’s attempts to block automated meeting scans that leverage the use of Tor and anonymous browsers. Zoom meeting searches are routed through multiple proxies and potentially exposes Zoom meeting room information without having to log in. Evidently, the passwords by default option is not working as intended which Zoom states the approach may fail under certain circumstances.

Please navigate to the following link for more details.
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/

Zoombombing

As more people work remotely and further rely on the Internet to facilitate remote meetings and online learning, video conferencing services have become a prominent target for online attacks. A surge of attacks, known as Zoombombing, occur when unauthorized users invade video calls with racist, pornographic, or vulgar content for either humor or logistical disruption. The behavior has affected numerous institutions and organizations across the globe.

Several higher learning institutions have reported incidents of racist and pornographic language and imagery crashing their internal virtual classes, as well as several prominent companies and regional book club meetings.

Malicious Domain Registration

Popular video conferencing applications such as Zoom, Teams, and Google are seeing their names used by malicious actors to create newly registered fake domains. Thousands of new domains have been registered.

Health-ISAC is ingesting malicious domains into our intelligence feeds to protect organizations using security automation from known malicious infrastructure and providing the data to members via the Indicators of Compromise (IOC) feed.

Zoom Room Spoofing

Bad actors are inviting people to rooms organized for malicious purposes including malicious link sharing, credential harvesting, and dissemination of propaganda. Individuals are sent links to join malicious VTC platform events. Health-ISAC encourages users to exercise caution if invited to virtual

conferences from a questionable source.

Zoom UNC Vulnerability

Security researchers discovered that Zoom chats automatically turn UNC paths into clickable links on Windows clients. If any user were to click on that link, their Windows username and NTLM credential hash (a decipherable version of a password) could potentially be sent across the internet to the site provided by the attacker.

In addition to the stealing of Windows credentials, UNC injects can also be used to launch programs on a local computer when a link is clicked.

On April 1, Zoom announced a fix for the UNC path rendering issue, which is applied automatically by the Zoom app client. More information can be accessed here https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

FBI Recommended Actions:

As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. The following steps can be taken to mitigate teleconference hijacking threats:

Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
Manage screensharing options. In Zoom, change screensharing to “Host Only.”
Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

CISA Recommended Actions:

The Cybersecurity and Infrastructure Security Agency encourages users and administrators to review the FBI article as well as the following steps to improve VTC cybersecurity:

Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
Ensure VTC software is up to date. Please see Understanding Patches and Software Updates.
https://www.us-cert.gov/ncas/tips/ST04-006

Zoom Vendor Recommended Actions:

Major video conference platform Zoom has published several best practices in order to mitigate Zoom Bombing disruptions and other attacks. Health-ISAC recommends the following actions:

Make all conference meetings password protected.
Discourage sharing meeting links on public-facing platforms.
Enable/Assign a Co-Host that has the same administration duties while the administrator/host presents.
Disable the Allow Removed Participants to Rejoin option, which prevents those kicked off the call to come back.

Additionally, several further measures can be enacted if disruptions persist, although these actions can also affect non-malicious users.

Disable all non-host screen sharing capabilities, making sure screen share capabilities remain host-only.
Enabling of the Waiting Room feature, which allows hosts of the meetings to see participants in a virtual staging area so they can be vetted before joining.