Zoom RCE…Time to Patch
How does this work exactly? Thinking about attack vectors.
One of my stories on Data Breaches.
Free Content on Jobs in Cybersecurity | Sign up for the Email List
Google Project Zero, always the source of amazing security research, found a flaw in Zoom that lets attackers download malware to your machine using the chat window. Basically, attackers will insert attack strings into the chat window to try to get get the systems involved in running Zoom to do something unexpected that allows them to deliver malware to your machine.
I’m sending out this PSA because so many people use Zoom — including the people who call to ask me cybersecurity questions through IANS Research. It’s time to update your Zoom client…again. People that call me at IANS may wonder why I don’t use Zoom and only use the phone. This is just one of the reasons. :)
Others may wonder why I don’t like to use Slack and similar forms of communication, a constant network connection between my computer, a network and through that network linked to a bunch of other computers and people I may or may not trust.
Yes, these systems should be secure and they are definitely fine to use, as long as you continuously monitor and keep systems up to date. But they do introduce an additional risk into your environment. This attack demonstrates the concern nicely. So does the fact that I was able to create a C2 channel using Slack and a Wordpress attack. That’s just one of many variations on a theme of using existing network paths and communications to deliver malware or commands to a remote system.
These types of security-minded thoughts led to my research into installing Zoom on a locked down cloud VM (an AWS Workspace). When I used this method, I used a stand-alone account and credentials as well. If someone got into this account there wouldn’t be much to see. Move along… Of course, someone could install crypto-miners if things go terribly wrong, so I set budget. and other alerts to monitor for additional costs and activity.
This above solution hit some glitches and I never really got back around to it, so generally I just avoid things that create unnecessary risk in my environment whenever possible. Maybe I’ll revisit it again in light of recent events when I have time. If you use the above solution, the driver you have to install to get this to work becomes an added attack vector, so there’s that.
I hope that Amazon Chime and similar systems are testing for such things as well. I was recently on an AWS meetup run on Chime and someone attempted to insert attack strings and then dropped off in the middle of my presentation. Lovely. Be aware of this attack vector, consider your deployment model, and keep these applications up to date.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2022
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
