A database of over 2,300 valid usernames and passwords to accounts on videoconferencing and collaboration app Zoom has been found for sale on a dark web marketplace by threat researchers at IntSights, a supplier of threat intelligence and protection services.
While much of the discourse around Zoom during the Covid-19 coronavirus pandemic has centred on various vulnerabilities that leave users open to so-called “zoombombing”, and privacy issues, IntSights chief security officer Etay Maor, cyber criminals are now actively seeking to exploit collaboration services.
According to Maor, interest in collaboration apps started to ramp up in the cyber criminal underworld in January 2020, before coronavirus was considered a global threat, but in the weeks since millions of people all over the world have been confined to their own homes, threat actors are now actively looking for ways to get access to collaboration tools like Zoom.
Analysis of the database found that alongside personal accounts belonging to consumers, there were also corporate accounts registered to banks, consultancies, schools and colleges, hospitals, and software companies, among many others. IntSights said that whilst some of these accounts only included an email and password, others included Zoom meeting IDs, names and host keys.
“The more specific and targeted the databases, the more it's going to cost you. A database of random usernames and passwords is probably going to go pretty cheap because it's harder to utilise,” Maor told Computer Weekly.
“But if somebody says they have a database of Zoom users in the UK the price is going to get much higher because it's much more specific and much easier to use.”
Whilst it is not uncommon at all for usernames and passwords to be shared or sold, Maor said that some of the discussions that followed had been intriguing, with the sale spawning a number of different posts and threads discussing different approaches to targeting Zoom users, many of them focused on credential stuffing attacks.
A credential stuffing attack is a brute force attack in which credentials are tested against a target website in an attempt to gain access and hijack user accounts.
In this case, forum users suggested using a Zoom-specific configuration of OpenBullet, an open source tool created for legitimate purposes – including penetration testing – but one that is easily co-opted for malicious ends, to streamline the credential stuffing process. Once OpenBullet finds a valid set of credentials, it will alert the cyber criminal to the fact they have a target.
Credential stuffing attacks are particularly dangerous because despite clear guidance on the issue, people are strongly inclined to reuse passwords across multiple services. In other words, what is valid for Zoom could well be valid for other enterprise services such as Office 365 or Salesforce, or consumer services.
Organisations can counter and mitigate the impact of credential stuffing attacks via a number of methods, such as implementing CAPTCHAs, requiring multi-factor authentication, and limiting the number of login attempts from a specific IP address over a specific time period.
However, said Maor, these are not always effective because they disrupt the user experience and tempt people to try to find ways around them.
“I can tell you I can secure a Zoom-like application but every time you log in, there's two-factor authentication and a CAPTCHA, and you’ll get a phone call from a rep to make sure that it's you, but in two days that application won't have any users, so it's always a balancing act,” he explained.
Maor also advocates the use of monitoring for so-called invisible authentication, examining user behaviour parameters.
“For example, usually I log into Zoom from a Boston IP address with a Windows computer, and all of a sudden you see me log-in from Eastern Europe on a Linux computer. The username and password are correct, but something doesn’t look right,” he said.
From the end-user side, adhering to basic password hygiene is the single most important thing one can do to guard against credential stuffing attacks through Zoom, or other accounts. Create strong, unique passwords on all services, and never share them with anybody under any circumstances. It is still worth using two-factor authentication if available – even though it is by no means infallible.
A full disclosure blog containing more information can be read on IntSights’ website, along with a wider report on cyber security during the coronavirus pandemic compiled by the firm’s researchers.