Zoom RCE…Time to Patch
How does this work exactly? Thinking about attack vectors.
Google Project Zero, always the source of amazing security research, found a flaw in Zoom that lets attackers download malware to your machine using the chat window. Basically, attackers will insert attack strings into the chat window to try to get get the systems involved in running Zoom to do something unexpected that allows them to deliver malware to your machine.
Zooming in on Zero-click Exploits
Zoom is a video conferencing platform that has gained popularity throughout the pandemic. Unlike other video…
I’m sending out this PSA because so many people use Zoom — including the people who call to ask me cybersecurity questions through IANS Research. It’s time to update your Zoom client…again. People that call me at IANS may wonder why I don’t use Zoom and only use the phone. This is just one of the reasons. :)
Others may wonder why I don’t like to use Slack and similar forms of communication, a constant network connection between my computer, a network and through that network linked to a bunch of other computers and people I may or may not trust.
Yes, these systems should be secure and they are definitely fine to use, as long as you continuously monitor and keep systems up to date. But they do introduce an additional risk into your environment. This attack demonstrates the concern nicely. So does the fact that I was able to create a C2 channel using Slack and a Wordpress attack. That’s just one of many variations on a theme of using existing network paths and communications to deliver malware or commands to a remote system.
These types of security-minded thoughts led to my research into installing Zoom on a locked down cloud VM (an AWS Workspace). When I used this method, I used a stand-alone account and credentials as well. If someone got into this account there wouldn’t be much to see. Move along… Of course, someone could install crypto-miners if things go terribly wrong, so I set budget. and other alerts to monitor for additional costs and activity.
This above solution hit some glitches and I never really got back around to it, so generally I just avoid things that create unnecessary risk in my environment whenever possible. Maybe I’ll revisit it again in light of recent events when I have time. If you use the above solution, the driver you have to install to get this to work becomes an added attack vector, so there’s that.
I hope that Amazon Chime and similar systems are testing for such things as well. I was recently on an AWS meetup run on Chime and someone attempted to insert attack strings and then dropped off in the middle of my presentation. Lovely. Be aware of this attack vector, consider your deployment model, and keep these applications up to date.
Teri Radichel — Follow me @teriradichel
© 2nd Sight Lab 2022
Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts