Did Zoom really get hacked?

Did Zoom really get hacked?

by rootsun
April 15, 2020

Zoom Video Communications Inc.’s video conferencing app, has seen a booming popularity since COVID-19 outbreaks began in January 2020. Zoom usage rose after lockdowns with corporate office workers, students, millions of people who #stayhome and even football teams like Liverpool FC. This makes a perfectly good target for threat actors, but it could be fixed with risk-based approach.

Liverpool FC’s tweet including manager Jürgen Klopp’s interview, shows the importance of \nZoom calls to maintain the team spirit during the unprecedented pandemic crisis

Not only have daily average users skyrocketed from 10 million to 200 million, but so have the number of headlines showing up its security loopholes. However very few of them were about the risk of volumetric credential stuffing attack, probably because the root cause of this attack is addressing the weakest link on the chain: “users” For users, the best technology is easy-to-use. Zoom knows this rule very well by putting this message at the center of their marketing campaigns to survive and become profitable in the highly-competitive video conferencing market. Signing up to the platform without any friction such as two-factor authentication or complex password requirements, is — ready to hear this? — one of the competition advantages. Less friction means more users, more profit. But there is dark side.

ZOOM (NASDAQ: ZM) stock has risen by about 75% year-to-date

How did it happen?

First of all, this is not unique to Zoom, and there is no end in sight for this variety of cyber crime activity. Consumer-facing businesses operating in a variety of sectors from E-commerce to Finance are at high risk of facing such an attack.

Threat actors’ primary motivation is financial, but it can lead to identity theft or gaining reputation in the dark web which opens doors to new profitable jobs. From the business perspective, as Zoom experienced lately, it can cause huge loss of brand reputation. A Forbes Insight report found that 46 percent of organizations had suffered damage to their reputations and brand value as a result of a breach. The technical cause does not matter so much since many consumers don’t have sufficient information on handling this incident right. After the data privacy scandals in the recent years, consumers are skeptical and now, more than ever, paying attention to what is happening with their data.

Credential stuffing attack is in principle very simple, like a numbers game with very low success rate. Threat actors leverage freshly-leaked combo lists containing pairs of username-password to perform automated login action against an online platform. The credential lists used in these attacks are acquired from a variety of sources, including black markets of data breach content. The main problem is that users sign up to multiple web applications with the same login credentials. That makes it harder to contain because it’s highly dependent upon user behavior, however this is just one aspect.

What can be done?

At SOCRadar, we have been working closely with E-commerce giants and Financial institutions to reduce their attack surface by providing them with a multi-functional, automated digital risk protection technology as well as on-demand TIA services. Based on our years of experience and hands-on research, we see how valuable it can be to adopt a risk-based, proactive and intelligence-driven approach to cyber security.

Zoom experience has shown us once again that the infrastructure scalability and stability needs to be empowered by intelligence-driven security scalability.

There are a couple of aspects affecting the success of credential stuffing attacks and advantageous position of the adversaries: automation and anonymity. From Threat Intelligence perspective, understanding the mechanisms behind these aspects can create positive difference to mitigate the possible harmful results.\n\nFirst aspect is automation which is a challenge from threat actors’ perspective. They need software — called Account Checker or Config File — that would check the massive list of credentials against the targeted web application and detect the valid ones. It needs to have capability to bypass security mechanisms which makes it harder. Proactively monitoring dark web and black markets where the software and techniques are heavily traded or threat campaigns are promoted can provide valuable insights on the upcoming attack techniques.

Snapshot from a dark web forum where a threat actor is promoting the specific software needed for automated login action to Zoom Platform. This was posted on April 1st, 2020.

Second aspect is anonymity where the threat actors leverage the bot-infected devices and proxy infrastructures to perform login attempts without creating an unusual traffic which will catch attention. Having a Threat Intelligence Programme providing possible malicious IP addresses and IOCs from recent similar campaigns could help a lot to detect suspicious login attempts.

Third aspect could be monitoring the combo lists traded on the dark web in a proactive manner. This can be highly useful to detect potential suspicious login attempts.

Feel free to reach us out on how SOCRadar can help to mitigate the associated risks by considering the aspects described above.

Related Stories

September 18, 2019

Responding to Risks of Finance Sector

Emerging risk of data breaches, GDPR and the need for accurate asset discovery

May 20, 2020

10 Best Dark / Deep Web Browsers for Anonymity

10 Best Dark / Deep Web Browsers for Anonymity

June 19, 2020

Types of Threat Intelligence Gathering

Threat Intelligence Gathering