Hackers Use Widespread Zoom Mode to Increase Attacks

The coronavirus crisis has led to a significant increase in the popularity of video streaming platforms such as Zoom. As a result, cyber criminals are showing greater interest in these platforms and are attempting to trick and infect users. Here are three new techniques exploiting Zoom vulnerabilities to beware of:

1. Two New Zero-Day Flaws in Zoom’s MacOS Client Version

Two new zero-day flaws have been uncovered in Zoom’s macOS client version. Successful exploitation of the Zoom vulnerabilities allow attackers to gain root privileges and access their victim’s microphone and camera.

Zoom vulnerabilities allow attackers to gain root privileges and access their victim's microphone and camera

  • Zoom’s Installer Can Allow Unprivileged Attackers to Gain Root Privilege: The issue stems from the Zoom installer using the AuthorizationExecuteWithPrivileges application programming interface (API) function, which is used to install the Zoom MacOS app without any user interaction. This API has been deprecated by Apple in the past because it does not attempt to validate a binary being executed at root. Threat actors can exploit this flaw by simply modifying a binary to include the runwithroot script during installation. Because it would then not be validated, they would ultimately gain root access. 
  • Attackers Can Gain Access to Zoom’s Microphone and Camera: Access to Zoom’s microphone and camera give attackers an option to record Zoom meetings. While recent versions of macOS require explicit user approval for permission to use the computer’s microphone and camera, Zoom has an “exception” that allows code to be injected by third-party libraries. As a result, a third-party library could be loaded into Zoom’s process address space that will automatically inherit all Zooms access rights and ultimately giving attackers control over these camera and microphone permissions. 

Attack Use Cases

2. UNC Path Injection in Zoom Allows Theft of Windows Credentials

Security researchers found that the Zoom Windows client is vulnerable to UNC path injection, which could allow threat actors to steal Windows credentials.

According to the research, the vulnerability exists in the Zoom Chat interface. Any URL address that’s being sent as a chat message is automatically converted into a hyperlink, so that other members can click on it to open a web page in their default browser. The problem is that the Zoom client will convert Windows networking UNC paths into clickable links in the chat messages, as well.

If a user clicks on a UNC path link, Windows will attempt to connect to the remote server using the SMB file-sharing protocol to open the remote file. In this case, Windows will send the user's login-name and NTLM password hash to the server by default.

3. zoom-Bombing attacks

Zoom-bombing is when a threat actor gains unauthorized access to a Zoom meeting to harass its participants.

In the past few days, the FBI reported multiple Zoom-bombing cases. Zoom-bombing is when a threat actor gains unauthorized access to a Zoom meeting to harass its participants in various ways such as spreading hate or pornographic images or recording pranks that later will be shown on social media. This seems to be a new trend used by script-kiddies to harass victims and steal private information.

Our team is ready to support you during this difficult time. We will get through this together. To set up a call with one of our cyber experts, send us your contact details and we will be in touch shortly.