Cloud Security
Published in

Cloud Security

Zoom RCE…Time to Patch

How does this work exactly? Thinking about attack vectors.

Google Project Zero, always the source of amazing security research, found a flaw in Zoom that lets attackers download malware to your machine using the chat window. Basically, attackers will insert attack strings into the chat window to try to get get the systems involved in running Zoom to do something unexpected that allows them to deliver malware to your machine.

I’m sending out this PSA because so many people use Zoom — including the people who call to ask me cybersecurity questions through IANS Research. It’s time to update your Zoom client…again. People that call me at IANS may wonder why I don’t use Zoom and only use the phone. This is just one of the reasons. :)

Others may wonder why I don’t like to use Slack and similar forms of communication, a constant network connection between my computer, a network and through that network linked to a bunch of other computers and people I may or may not trust.

Yes, these systems should be secure and they are definitely fine to use, as long as you continuously monitor and keep systems up to date. But they do introduce an additional risk into your environment. This attack demonstrates the concern nicely. So does the fact that I was able to create a C2 channel using Slack and a Wordpress attack. That’s just one of many variations on a theme of using existing network paths and communications to deliver malware or commands to a remote system.

These types of security-minded thoughts led to my research into installing Zoom on a locked down cloud VM (an AWS Workspace). When I used this method, I used a stand-alone account and credentials as well. If someone got into this account there wouldn’t be much to see. Move along… Of course, someone could install crypto-miners if things go terribly wrong, so I set budget. and other alerts to monitor for additional costs and activity.

This above solution hit some glitches and I never really got back around to it, so generally I just avoid things that create unnecessary risk in my environment whenever possible. Maybe I’ll revisit it again in light of recent events when I have time. If you use the above solution, the driver you have to install to get this to work becomes an added attack vector, so there’s that.

I hope that Amazon Chime and similar systems are testing for such things as well. I was recently on an AWS meetup run on Chime and someone attempted to insert attack strings and then dropped off in the middle of my presentation. Lovely. Be aware of this attack vector, consider your deployment model, and keep these applications up to date.

Teri Radichel — Follow me @teriradichel

© 2nd Sight Lab 2022


Want to learn more about Cybersecurity and Cloud Security? Check out: Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty |

More from Medium

InfoSecSherpa’s News Roundup for Thursday, May 26, 2022

Most CFOs being left out of ransomware conversations. Image by mhouge from Pixabay.

Security Advisory: Google Chrome Vulnerabilities Allow Arbitrary Code Execution

Approaching CTF OSINT Challenges — Learn by Example

What is T-Pot and Malware Analysis Using T-Pot.