New “Zero-Day” Zoom Exploits Uncovered

Two new and dangerous exploits of the popular Zoom teleconferencing software have been made available for sale to hackers. These exploits allow attackers to hack Zoom users, spy on calls, and potentially exfiltrate user data.

The exploits are reportedly available for Windows^® and MacOS^®. Sources indicate that the Windows exploit is particularly dangerous as it is a remote code execution (RCE) attack. RCE attacks can be executed without users revealing credentials (e.g., after a phishing attempt), which makes them even more dangerous. In this instance, the attacker must initially be part of the conference call, but with the RCE can access other data on the user’s machine. The MacOS attack, however, is not an RCE and must be executed locally.

While they have not been seen in action, these attacks have reportedly been offered for sale to multiple sources. These “zero-day” exploits have not been seen previously, and to this point, have not been addressed with protective software updates.
 

ACA Guidance

Despite security issues, Zoom and other teleconferencing tools are needed for business functionality during the Covid-19 crisis. It is essential that security measures be taken to enhance teleconferencing security. Recommended actions include:

• Follow the teleconference security recommendations presented in this alert, including using unique meeting numbers/PINs, using multi-factor authentication, closing entry after roll call, updating software to latest versions, etc.
• Rotate and change Zoom (and other teleconference software) passwords frequently
• Download and install security patches as they become available
• Configure Zoom to its highest levels of available encryption (H.323/SIP Endpoint Encryption), as follows:

For group administrators:

1. Sign in to the Zoom web portal as an administrator.
2. Click Account Management > Account Settings.
3. Navigate to In Meeting (Basic) > Require Encryption for 3rd Party Endpoints (H323/SIP).
4. Click the toggle to enable the setting.
5. If a verification dialog displays, choose Turn On or Turn Off to verify the change.
6. Click the lock icon to make this setting mandatory for all account users.

For individual users:

1. Sign in to the Zoom web portal.
2. Click Settings.
3. Navigate to In Meeting. (Basic) > Require Encryption for 3rd Party Endpoints (H323/SIP).
4. Click the toggle to enable the setting.
5. If a verification dialog displays, choose Turn On or Turn Off to verify the change.
6. Note that if an option is grayed out, it has been locked at the group or account level.

Additional Resources

ACA is actively monitoring the developments related to COVID-19 and producing resources to help your firm address operational challenges created by this pandemic. Visit our COVID-19 Resources page to access all of the resources we've developed that may help your firm navigate through the restrictions in place to curb the pandemic.

Read More

How We Help

ACA offers the following solutions that can help firms enhance their cybersecurity in light of COVID-19 related cybercrime. 

• Free Online Cybersecurity Training
• Phishing testing and cyber awareness
• Penetration testing and vulnerability assessments
• Threat intelligence
• Cyber incident response planning

Contact Us

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.