IntSights, the threat intelligence company focused on enabling enterprises to Defend Forward™, today published an article surrounding an analysis of how cybercriminals are automating attacks against remote workers, including how user credentials from online conferencing platform, Zoom, have been put up for sale on the Dark Web. The research, conducted by Etay Maor, chief security officer of IntSights, found that these credentials are from personal and corporate accounts across a wide range of sectors including banks, higher education institutions and healthcare providers.
As COVID-19 sweeps across the world, there have been an unprecedented shift to work-from-home arrangements. Millions working and learning remotely use tools such as Zoom for internal meetings, large-group webinars and online lessons, leading to the rise in security and privacy concerns with the use the cloud-hosted online conference platforms. To prevent further breaches and loss of data, some large companies and governments have since banned the use of Zoom. More starkingly, Etay found that cybercriminals are embarking on credential stuffing attacks where usernames and passwords are tested across multiple websites, in hope to gain access and take over the account or even harvest additional data that can potentially unlock huge rewards.
Threat actors have been working hard to design attacks that exploit new vulnerabilities created by the COVID-19 pandemic. Fraudsters, cybercriminals, and even nation-state actors are creating everything from phishing attacks to malware to scams and hoaxes. IntSights recently released a detailed report breaking down the most common attack techniques, providing statistics for domain registrations related to the pandemic, discussing CVEs for remote collaboration and communication platforms, identifying nation-states utilizing the situation for disinformation campaigns, and more.
One of the more noteworthy findings of the report is the stark increase in chatter concerning vulnerabilities and exploits pertaining to video conferencing and collaboration tools in deep and dark web forums. Realizing most of the workforce is now required to do their jobs from home, threat actors are actively looking for ways to gain access to collaboration and communication tools, like Zoom.
Researchers have already reported about multiple vulnerabilities in these tools. Unfortunately, some users ignore even the most basic security measures, like securing online meetings with passwords or pin codes ¬– or even publicly showing their meeting ID, as seen in the case of the British government – which in turn allow attackers to take advantage of the situation. In a recent investigation of deep and dark web forums, IntSights researchers came across a cybercriminal who shared a database containing more than 2300 usernames and passwords to Zoom accounts.
An analysis of the database revealed that aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others. While some of the accounts “only” included an email and password, others included meeting IDs, names and host keys as seen in the image below.
While usernames and passwords are often shared or sold in different forums, what was interesting were some of the discussions that followed. One of the forum participants asked how to gain access into Zoom conferences.
Several posts and threads discussed the different approaches of targeting Zoom’s conferencing services, some of which focused on Zoom checkers and credential stuffing. Checking services are common in credit card fraud ¬– the idea is to check whether a stolen credit card is “fresh” by making a micro donation. If the donation goes through, the card is “fresh” and can be used for fraudulent transactions.
Credential stuffing attacks are a form of brute force attack in which usernames and passwords are tested against a website or application in an attempt to gain access and take over the account. In this case, the idea is to check the validity of Zoom accounts as well as to potentially harvest additional data regarding the account. One of the participants suggested using a Zoom-specific configuration of OpenBullet.
The OpenBullet GitHub page describes it as a “a webtesting suite that allows to perform requests towards a target webapp and offers a lot of tools to work with the results. This software can be used for scraping and parsing data, automated pentesting, unit testing through selenium and much more.
IMPORTANT! Performing (D)DoS attacks or credential stuffing on sites you do not own (or you do not have permission to test) is illegal! The developer will not be held responsible for improper use of this software.
OpenBullet is just one of several easy-to-use open source tools that streamline the process of credential stuffing. Cybercriminals have shared configuration files in the past for targets like Ring. While there are different techniques to counter credential stuffing like using captcha, requiring two factor authentication and limiting the number of login attempts from a specific IP or for specific time intervals, these impose a burden on performance and user experience.
With much of the global workforce confined to work from home using collaboration and conferencing tools to keep businesses running, threat actors are increasingly looking for ways to take advantage of the situation and target people, processes and technologies. Implementing a cyber threat intelligence strategy which is based on the collection, analysis and dissemination of reliable, timely and actionable intelligence is a core component for any cyber security program that aims to be proactive rather than reactive and defend forward.
For more on the emerging threats related to the coronavirus pandemic, download our report, The Cyber Threat Impact of COVID-19 to Global Business.