Cybercriminals are zooming in on remote workers
By Etay Maor, Chief Security Officer, IntSights
Threat actors have been working hard to design attacks that exploit new vulnerabilities created by the COVID-19 pandemic. Fraudsters, cybercriminals, and even nation-state actors are creating everything from phishing attacks to malware to scams and hoaxes.
IntSights recently released a report breaking down the most common attack techniques. One of the more noteworthy findings of the report is the stark increase in chatter concerning vulnerabilities and exploits pertaining to video conferencing and collaboration tools in deep and dark web forums. Realising most of the workforce is now required to do their jobs from home, threat actors are actively looking for ways to gain access to collaboration and communication tools, like Zoom.
Researchers have already reported about multiple vulnerabilities in these tools. Unfortunately, some users ignore even the most basic security measures, like securing online meetings with passwords or pin codes – or even publicly showing their meeting ID, as seen in the case of the British government – which in turn allow attackers to take advantage of the situation. In a recent investigation of deep and dark web forums, IntSights researchers came across a cybercriminal who shared a database containing more than 2,300 usernames and passwords to Zoom accounts.
An analysis of the database revealed that aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others. While some of the accounts “only” included an email and password, others included meeting IDs, names and host keys as seen in the image below.
While usernames and passwords are often shared or sold in different forums, what was interesting were some of the discussions that followed. One of the forum participants asked how to gain access into Zoom conferences.
Several posts and threads discussed the different approaches of targeting Zoom’s conferencing services, some of which focused on Zoom checkers and credential stuffing. Checking services are common in credit card fraud – the idea is to check whether a stolen credit card is “fresh” by making a micro donation. If the donation goes through, the card is “fresh” and can be used for fraudulent transactions.
Credential stuffing attacks are a form of brute-force attack in which usernames and passwords are tested against a website or application in an attempt to gain access and take over the account. In this case, the idea is to check the validity of Zoom accounts as well as to potentially harvest additional data regarding the account. One of the participants suggested using a Zoom-specific configuration of OpenBullet.
The OpenBullet GitHub page describes it as a “a web-testing suite that allows to perform requests towards a target web app and offers a lot of tools to work with the results. This software can be used for scraping and parsing data, automated pen testing*, unit testing through selenium and much more.
IMPORTANT! Performing (D)DoS** attacks or credential stuffing on sites you do not own (or you do not have permission to test) is illegal! The developer will not be held responsible for improper use of this software."
OpenBullet is just one of several easy-to-use open source tools that streamline the process of credential stuffing. Cybercriminals have shared configuration files in the past for targets like Ring. While there are different techniques to counter credential stuffing like using captcha, requiring two-factor authentication and limiting the number of login attempts from a specific IP*** address or for specific time intervals, these impose a burden on performance and user experience.
With much of the global workforce confined to work from home using collaboration and conferencing tools to keep businesses running, threat actors are increasingly looking for ways to take advantage of the situation and target people, processes and technologies. Implementing a cyber hreat intelligence strategy which is based on the collection, analysis and dissemination of reliable, timely and actionable intelligence is a core component for any cybersecurity programme that aims to be proactive rather than reactive, and defend-forward.
Explore:
Download The Cyber Threat Impact of COVID-19 to Global Business report (registration required).
*Penetration testing attempts to get past existing security protection.
**DDOS stands for distributed denial of service, which can overwhelm computers so they stop working.
***IP stands for Internet protocol.
Threat actors have been working hard to design attacks that exploit new vulnerabilities created by the COVID-19 pandemic. Fraudsters, cybercriminals, and even nation-state actors are creating everything from phishing attacks to malware to scams and hoaxes.
IntSights recently released a report breaking down the most common attack techniques. One of the more noteworthy findings of the report is the stark increase in chatter concerning vulnerabilities and exploits pertaining to video conferencing and collaboration tools in deep and dark web forums. Realising most of the workforce is now required to do their jobs from home, threat actors are actively looking for ways to gain access to collaboration and communication tools, like Zoom.
Researchers have already reported about multiple vulnerabilities in these tools. Unfortunately, some users ignore even the most basic security measures, like securing online meetings with passwords or pin codes – or even publicly showing their meeting ID, as seen in the case of the British government – which in turn allow attackers to take advantage of the situation. In a recent investigation of deep and dark web forums, IntSights researchers came across a cybercriminal who shared a database containing more than 2,300 usernames and passwords to Zoom accounts.
An analysis of the database revealed that aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others. While some of the accounts “only” included an email and password, others included meeting IDs, names and host keys as seen in the image below.
While usernames and passwords are often shared or sold in different forums, what was interesting were some of the discussions that followed. One of the forum participants asked how to gain access into Zoom conferences.
Several posts and threads discussed the different approaches of targeting Zoom’s conferencing services, some of which focused on Zoom checkers and credential stuffing. Checking services are common in credit card fraud – the idea is to check whether a stolen credit card is “fresh” by making a micro donation. If the donation goes through, the card is “fresh” and can be used for fraudulent transactions.
Credential stuffing attacks are a form of brute-force attack in which usernames and passwords are tested against a website or application in an attempt to gain access and take over the account. In this case, the idea is to check the validity of Zoom accounts as well as to potentially harvest additional data regarding the account. One of the participants suggested using a Zoom-specific configuration of OpenBullet.
The OpenBullet GitHub page describes it as a “a web-testing suite that allows to perform requests towards a target web app and offers a lot of tools to work with the results. This software can be used for scraping and parsing data, automated pen testing*, unit testing through selenium and much more.
IMPORTANT! Performing (D)DoS** attacks or credential stuffing on sites you do not own (or you do not have permission to test) is illegal! The developer will not be held responsible for improper use of this software."
OpenBullet is just one of several easy-to-use open source tools that streamline the process of credential stuffing. Cybercriminals have shared configuration files in the past for targets like Ring. While there are different techniques to counter credential stuffing like using captcha, requiring two-factor authentication and limiting the number of login attempts from a specific IP*** address or for specific time intervals, these impose a burden on performance and user experience. With much of the global workforce confined to work from home using collaboration and conferencing tools to keep businesses running, threat actors are increasingly looking for ways to take advantage of the situation and target people, processes and technologies. Implementing a cyber hreat intelligence strategy which is based on the collection, analysis and dissemination of reliable, timely and actionable intelligence is a core component for any cybersecurity programme that aims to be proactive rather than reactive, and defend-forward.
Explore:
Download The Cyber Threat Impact of COVID-19 to Global Business report (registration required).
*Penetration testing attempts to get past existing security protection.
**DDOS stands for distributed denial of service, which can overwhelm computers so they stop working.
***IP stands for Internet protocol.
Comments
Post a Comment