sales@siconsult.com

Phone: +44 (0)20 332 70699

Visit Si Engineering

SiConsult Location SiConsult Location SiConsult Location

The Latest Cyber
Intelligence
from Si

Critical Zero-Day Vulnerability Found in Zoom Video Conferencing
Apr2020

Critical Zero-Day Vulnerability Found in Zoom Video Conferencing

Due to the current COVID-19 situation, the majority of organisations around the world are now working remotely. This means that remote collaboration tools used for conferences and meetings are in high demand. In response, bad actors are taking advantage of the situation by identifying new ways to exploit these tools, in the form of phishing and zero-day attacks, and to steal and leak the credentials of their targets.

A specific vulnerability has been identified in the popular conferencing tool, Zoom. Zoom is a free to use, video conferencing tool that can support up to 100 people on a single call. For this reason, it has become the go-to option for businesses trying to maintain their usual working schedules remotely. There are a lot of benefits to Zoom. It is user friendly, interactive and can support your whole team in one place.

However, often its practicality has overshadowed its security and privacy. Which has been made apparent in the discovery of a recent critical zero-day vulnerability. This vulnerability shows that, while using the application, the Zoom Windows client is vulnerable to a UNC path injection in the client's chat feature. The chat feature allows members on the call to send messages and images. This could allow attackers to steal the Windows credentials of users who click on the link, resulting in limited remote code execution, which can leak network information.

During a conversation in Zoom meetings, users interact through chat interfaces where they can type messages, send images and videos. Any URLs that are sent, are automatically converted into hyperlinks so that other members in the chat can click on them and open a web page in their default browser.

If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the malicious file. Following this, the connection by default Windows will send the user's login name and their NTLM password hash, which can be deciphered using free tools, such as Hashcat, to dehash or reveal the user's password. This can take less than 16 seconds.

On top of this threat, the amount of ‘Zoombombing’ has rocketed amidst the COVID-19 pandemic. Zoombombing is the term coined for when a bad actor takes control of screens mid-meeting, and shares hateful messages, pornography, or whatever they like, to the intended audience. In addition, once malware is running on the intended system, bad actors can piggyback onto microphones and cameras to view and listen in on conversations without the knowledge of the target. This in itself is bad enough. But you don’t need a vivid imagination to reason how such scenarios can rapidly transform into ransomware and blackmail.

‘Zoom, while great from a usability point of view, clearly hasn’t been designed with security in mind’. - Patrick Wardle (macOS security researcher)

So, what can you do to avoid becoming a cyber target on Zoom’s platform?

Mitigation

First, check your settings, and take the following steps to stop NTLM credentials from being sent to remote servers.

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers

If this policy is configured to ‘Deny All’, Windows will no longer automatically send your NTLM credentials.

Or, using registry editor, make a new entry at the following path:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]

Make a new entry named:

"RestrictSendingNTLMTraffic"=dword:00000002

Our Recommendations

Si Consult’s specialists recommend a couple of key actions in order for you and your organisation to stay as safe as possible while working remotely in the coming months.

First, keep all applications and operating systems running at the current released patch level.

Second, implement and monitor Endpoint Detection & Response (EDR) on end user computers to detect advanced threats.

Third, update your anti-virus solutions with the latest virus definitions. And do this regularly.

Forth, avoid handling, clicking on, using any links, emails or files from an untrusted source.

As cyber threats increase, it is crucial that your security, and the security of your team is regularly reviewed and updated. Educate your employees and your clients to safeguard your data.

For more information, to talk with a specialist, or to view our services amidst the COVID-19 pandemic, contact us here.

New call-to-action

All News

Register and stay up to date with Si’s Cyber Intelligence

Interested in our services?

Do you have a question or need more information?

We would like to hear from you! Please complete the form below and a representative from Si will follow up with you as soon as possible.

Close

Al Barsha Business Point, Office 501, Al Barsha One, P.O. Box 283996, Dubai, UAE

CALL OFFICE EMAIL OFFICE
Close

7 Greenwich View Pl, Canary Wharf, London E14 9NN

CALL OFFICE EMAIL OFFICE
Close

Supreme Headquarters Building, Office 807-810, Survey No. 36, Pune-Bangalore Highway, Baner, Pune 411045, India

CALL OFFICE EMAIL OFFICE

Thank you for your enquiry. We will be in touch shortly.

Thank you for signing up to Si news.

Thank you for your download request. We will email it shortly.

Thank you for your partner registration application. We will be in touch shortly.

Thank you for your enquiry. We will be in touch shortly.

Thank you for your download request. We will email it shortly.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your interest in this event has been submitted and you will be contacted within 24 hours.