Notes from the Field • 4 Mins READ

Critical Zero-Day Vulnerability Found in Zoom Video Conferencing

by Eleanor Barlow • Apr 2020

Due to the current COVID-19 situation, the majority of organisations around the world are now working remotely. This means that remote collaboration tools used for conferences and meetings are in high demand. In response, bad actors are taking advantage of the situation by identifying new ways to exploit these tools, in the form of phishing and zero-day attacks, and to steal and leak the credentials of their targets.

A specific vulnerability has been identified in the popular conferencing tool, Zoom. Zoom is a free to use, video conferencing tool that can support up to 100 people on a single call. For this reason, it has become the go-to option for businesses trying to maintain their usual working schedules remotely. There are a lot of benefits to Zoom. It is user friendly, interactive and can support your whole team in one place.

However, often its practicality has overshadowed its security and privacy. Which has been made apparent in the discovery of a recent critical zero-day vulnerability. This vulnerability shows that, while using the application, the Zoom Windows client is vulnerable to a UNC path injection in the client’s chat feature. The chat feature allows members on the call to send messages and images. This could allow attackers to steal the Windows credentials of users who click on the link, resulting in limited remote code execution, which can leak network information.

During a conversation in Zoom meetings, users interact through chat interfaces where they can type messages, send images and videos. Any URLs that are sent, are automatically converted into hyperlinks so that other members in the chat can click on them and open a web page in their default browser.

If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the malicious file. Following this, the connection by default Windows will send the user’s login name and their NTLM password hash, which can be deciphered using free tools, such as Hashcat, to dehash or reveal the user’s password. This can take less than 16 seconds.

On top of this threat, the amount of ‘Zoombombing’ has rocketed amidst the COVID-19 pandemic. Zoombombing is the term coined for when a bad actor takes control of screens mid-meeting, and shares hateful messages, pornography, or whatever they like, to the intended audience. In addition, once malware is running on the intended system, bad actors can piggyback onto microphones and cameras to view and listen in on conversations without the knowledge of the target. This in itself is bad enough. But you don’t need a vivid imagination to reason how such scenarios can rapidly transform into ransomware and blackmail.

‘Zoom, while great from a usability point of view, clearly hasn’t been designed with security in mind’. – Patrick Wardle (macOS security researcher)

So, what can you do to avoid becoming a cyber target on Zoom’s platform?

Mitigation

First, check your settings, and take the following steps to stop NTLM credentials from being sent to remote servers.

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers

If this policy is configured to ‘Deny All’, Windows will no longer automatically send your NTLM credentials.

Or, using registry editor, make a new entry at the following path:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]

Make a new entry named:

“RestrictSendingNTLMTraffic”=dword:00000002

Our Recommendations to stay cyber safe while working remotely

SecurityHQ’s specialists recommend a couple of key actions in order for you and your organisation to stay as safe as possible while working remotely in the coming months.

  1.  Keep all applications and operating systems running at the current released patch level.   
  2. Implement and monitor Endpoint Detection & Response (EDR) on end user computers to detect advanced threats.
  3. Update your anti-virus solutions with the latest virus definitions. And do this regularly.   
  4. Avoid handling, clicking on, using any links, emails or files from an untrusted source.

As cyber threats increase, it is crucial that your security, and the security of your team is regularly reviewed and updated. Educate your employees and your clients to safeguard your data.

For more information, to talk with a specialist, or to view our services amidst the COVID-19 pandemic, contact us here.