Zooming in on the Target: Cybercriminals Automate Attacks Against Remote Workers
April 10th, 2020
Subscribe to our blog and stay up to date
Threat actors have been working hard to design attacks that exploit new vulnerabilities created by the COVID-19 pandemic. Fraudsters, cybercriminals, and even nation-state actors are creating everything from phishing attacks to malware to scams and hoaxes. IntSights recently released a detailed report breaking down the most common attack techniques, providing statistics for domain registrations related to the pandemic, discussing CVEs for remote collaboration and communication platforms, identifying nation-states utilizing the situation for disinformation campaigns, and more.
One of the more noteworthy findings of the report is the stark increase in chatter concerning vulnerabilities and exploits pertaining to video conferencing and collaboration tools in deep and dark web forums. Realizing most of the workforce is now required to do their jobs from home, threat actors are actively looking for ways to gain access to collaboration and communication tools, like Zoom.
Researchers have already reported about multiple vulnerabilities in these tools. Unfortunately, some users ignore even the most basic security measures, like securing online meetings with passwords or pin codes – or even publicly showing their meeting ID, as seen in the case of the British government – which in turn allow attackers to take advantage of the situation. In a recent investigation of deep and dark web forums, IntSights researchers came across a cybercriminal who shared a database containing more than 2300 usernames and passwords to Zoom accounts.
An analysis of the database revealed that aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others. While some of the accounts “only” included an email and password, others included meeting IDs, names and host keys as seen in the image below.
While usernames and passwords are often shared or sold in different forums, what was interesting were some of the discussions that followed. One of the forum participants asked how to gain access into Zoom conferences.
Several posts and threads discussed the different approaches of targeting Zoom’s conferencing services, some of which focused on Zoom checkers and credential stuffing. Checking services are common in credit card fraud – the idea is to check whether a stolen credit card is “fresh” by making a micro donation. If the donation goes through, the card is “fresh” and can be used for fraudulent transactions.
Credential stuffing attacks are a form of brute force attack in which usernames and passwords are tested against a website or application in an attempt to gain access and take over the account. In this case, the idea is to check the validity of Zoom accounts as well as to potentially harvest additional data regarding the account. One of the participants suggested using a Zoom-specific configuration of OpenBullet.
The OpenBullet GitHub page describes it as a “a webtesting suite that allows to perform requests towards a target webapp and offers a lot of tools to work with the results. This software can be used for scraping and parsing data, automated pentesting, unit testing through selenium and much more.
IMPORTANT! Performing (D)DoS attacks or credential stuffing on sites you do not own (or you do not have permission to test) is illegal! The developer will not be held responsible for improper use of this software.“
OpenBullet is just one of several easy-to-use open source tools that streamline the process of credential stuffing. Cybercriminals have shared configuration files in the past for targets like Ring. While there are different techniques to counter credential stuffing like using captcha, requiring two factor authentication and limiting the number of login attempts from a specific IP or for specific time intervals, these impose a burden on performance and user experience.
With much of the global workforce confined to work from home using collaboration and conferencing tools to keep businesses running, threat actors are increasingly looking for ways to take advantage of the situation and target people, processes and technologies. Implementing a cyber threat intelligence strategy which is based on the collection, analysis and dissemination of reliable, timely and actionable intelligence is a core component for any cyber security program that aims to be proactive rather than reactive and defend forward.
For more on the emerging threats related to the coronavirus pandemic, download our report, The Cyber Threat Impact of COVID-19 to Global Business.
Etay Maor is Chief Security Officer at IntSights. As CSO, Etay leads the security advisory practice at IntSights where he works with CISOs and other senior cybersecurity executives to develop risk management-based cybersecurity programs. Etay has extensive experience in cybersecurity having worked at IBM, Trusteer, and RSA. Etay holds a BA in Computer Science and a MA in Counter Terrorism and Cyber Terrorism and is currently a professor at Boston College.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.