Hackers Capitalize on Widespread Zoom Use to Increase Malicious Attacks

Hackers Capitalize on Widespread Zoom Use to Increase Malicious Attacks

Hackers Capitalize on Widespread Zoom Use to Increase Malicious Attacks

By CyberProof Research Team

April 3, 2020

The coronavirus crisis has led to a significant increase in the popularity of video streaming platforms such as Zoom. As a result, cyber criminals are showing greater interest in these platforms and are attempting to trick and infect users. Here are three new techniques exploiting Zoom vulnerabilities to beware of:

1. Two New Zero-Day Flaws in Zoom’s MacOS Client Version

Two new zero-day flaws have been uncovered in Zoom’s macOS client version. Successful exploitation of the Zoom vulnerabilities allow attackers to gain root privileges and access their victim’s microphone and camera.
Malicious Attacks

  • Zoom’s Installer Can Allow Unprivileged Attackers to Gain Root Privilege: The issue stems from the Zoom installer using the AuthorizationExecuteWithPrivileges application programming interface (API) function, which is used to install the Zoom MacOS app without any user interaction. This API has been deprecated by Apple in the past because it does not attempt to validate a binary being executed at root. Threat actors can exploit this flaw by simply modifying a binary to include the runwithroot script during installation. Because it would then not be validated, they would ultimately gain root access. 
  • Attackers Can Gain Access to Zoom’s Microphone and Camera: Access to Zoom’s microphone and camera give attackers an option to record Zoom meetings. While recent versions of macOS require explicit user approval for permission to use the computer’s microphone and camera, Zoom has an “exception” that allows code to be injected by third-party libraries. As a result, a third-party library could be loaded into Zoom’s process address space that will automatically inherit all Zooms access rights and ultimately giving attackers control over these camera and microphone permissions. 

Attack Use Cases

2. UNC Path Injection in Zoom Allows Theft of Windows Credentials

Security researchers found that the Zoom Windows client is vulnerable to UNC path injection, which could allow threat actors to steal Windows credentials.

According to the research, the vulnerability exists in the Zoom Chat interface. Any URL address that’s being sent as a chat message is automatically converted into a hyperlink, so that other members can click on it to open a web page in their default browser. The problem is that the Zoom client will convert Windows networking UNC paths into clickable links in the chat messages, as well.

If a user clicks on a UNC path link, Windows will attempt to connect to the remote server using the SMB file-sharing protocol to open the remote file. In this case, Windows will send the user's login-name and NTLM password hash to the server by default.

3. zoom-Bombing attacks

Malicious AttacksIn the past few days, the FBI reported multiple Zoom-bombing cases. Zoom-bombing is when a threat actor gains unauthorized access to a Zoom meeting to harass its participants in various ways such as spreading hate or pornographic images or recording pranks that later will be shown on social media. This seems to be a new trend used by script-kiddies to harass victims and steal private information.

Our team is ready to support you during this difficult time. We will get through this together. To set up a call with one of our cyber experts, send us your contact details and we will be in touch shortly.

Written by CyberProof Research Team
Our Cyber Research Team is always on the lookout for the latest threats facing the digital ecosystem. Stay ahead of the risks so you don't need to find out about them after they become your next attackers.