Another problem for those using the Zoom videoconferencing service has emerged with the discovery of a database containing Zoom credentials in the hands of a threat actor, according to a cybersecurity firm.
Etay Maor, chief security officer of New York-based IntSights, said in a recent blog the firm’s researchers had come across a cybercriminal who shared a database containing more than 2,300 usernames and passwords to Zoom accounts.
“An analysis of the database revealed that aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others. While some of the accounts “only” included an email and password, others included meeting IDs, names and host keys.”
Also discovered — as others have reported — were dark web forums discussing how to gain access to Zoom conferences as well as how to hunt for credit cards of Zoom users.
The blog doesn’t speculate on whether the database came from a data breach at Zoom, a customer, or was merely an unprotected database found after an internet search.
The significance of the database may be countered by the fact that Zoom meetings are now password-controlled.
Separately, in an interview, the CEO of a Swiss-based application testing platform argued serious criminals are likely to hack videoconferences. “From a technical perspective I don’t think that shifting to Zoom brings a lot of interesting opportunities, at least from the perspective of a professional cyber crew,” Ilia Kolochenko said in an interview. “From a risk and intelligence perspective few cybercriminals would be likely to bother to join phone calls unless they have very specific information. Or, unless it is a strategic conference call between a large organization and a supplier that would have an implication to stock value or a confidential announcement and only if they can reliably predict that such a call will take place and the information gained from this call can be sold on the black market.”
A threat actor more likely would get that information by compromising the mobile device or computer of an employee participating in the call, and then recording the call, he argued.
That’s why he believes threat actors will prefer attacking employees now working from home with weak security. “Nobody was fully prepared to shift everyone to working from home,” he said.
As a result IT departments are plugging in “haphazard” solutions to allow staff to work remotely. Cybersecurity has become an afterthought.
“I guess we will probably have a huge number of unprotected assets that contain or process critical information. And just by crawling the internet, you can easily find thousands of databases containing financial information, health records and so on. So from a practical, pragmatic standpoint it would be much easier to profit from shadow IT and exposed infrastructure that is not yet secured than trying to intercept Zoom meetings unless there is a compelling reason to do so.”
Because so many employees are working from home, security awareness of phishing and other threats is vital, he said. Staff should be told with “clear, consistent communications” about what is required from them in terms of security. That includes explaining how management and IT will be communicating with them, and a reminder that the organization won’t ask staff by email for login or personal information.
Infosec teams also need to continue to watch for external vulnerabilities such as abandoned web sites, exposed databases — the low-hanging fruit threat actors were going after before the pandemic.