Zoom Can Expose You To Cyber Attacks

Uploaded on 2022-06-13 in FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The video-conference platform Zoom has disclosed four new software problems and vulnerabilities that expose users to cyber attacks.

Cyber security researchers found that the vulnerabilities can be used to compromise users over the platform’s chat function. This is possible if criminal hackers send a specially crafted XMPP (Extensible Messaging and Presence Protocol) message and executing malicious code.

If the specific message is sent, an attacker could trigger clients into connecting to a man-in-the-middle server that presented a version of the Zoom client from 2019. Google Project Zero security researcher Ivan Fratric, who uncovered the problems, has said, “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol.”

XMPP is the standard upon which Zoom’s chat feature is built. A cyber-attacker can pose as a regular user through exploitation of the afore-mentioned vulnerabilities. In turn, the individual can connect to a suspicious server and download an update, resulting in arbitrary code execution stemming from a downgrade attack.

Zoom, the video-conferencing platform that has become a staple for connection and communication since the onset of COVID-19 and now Zoom has acknowledged that the security vulnerabilities, ranging from 5.9 to 8.1 in severity, can be exploited to compromise chat users.

The vulnerabilities could be exploited to compromise users over chat by sending specially crafted  XMPP messages and executing malicious code.

In the Report, Fratric writes: “Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to ‘smuggle’ arbitrary XMPP stanzas to the victim client. “From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack.”

The issue at the core of these vulnerabilities is the ability of a cyber attacker to find inconsistencies between XML parsers in the software’s client and server.

When this happens, XMPP stanzas can be sent to the victim of the attack. This allows hackers to take advantage of software updates, weaponizing the process and delivering an outdated, less secure version of Zoom to prospective targets through a malicious server.

David Mahdi CISO advisor at Sectigo, commented on these forms of social hacks and offers advice on how to avoid becoming a victim: “As a form of social engineering, attacks like this can be incredibly hard to prevent, with attackers using incredibly savvy methods to trick users into doing 'the wrong thing', such as clicking a bad link that will download malware... Attackers are now deploying a growing variety of tactics, such as supply chain attacks and social engineering, to target organizational issues inherent with hybrid work, human error, and shadow IT.
“Multi-factor authentication (MFA), when correctly deployed, can mitigate cyber-criminal attacks from using stolen credentials to access devices or networks in the case of a phishing attack.” according to Mahdi. 

Zoom:     TEISS:      Infosecurity Magazine:    IT Governance:    Wired:  Google:     Chromium:  

You Might Also Read: 

Microsoft Eliminates Cyber Attack Flaws:

 

« Critical Business Systems Left Unmonitored & Insecure
REvil Have Returned - Or Have They? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Pen Test Partners LLP

Pen Test Partners LLP

Pen Test Partners provides penetration testing, security assessment and training services.

Zentek Digital Investigations

Zentek Digital Investigations

Zentek has been providing digital forensics services to the public and private sector for computers and mobile devices since 2004.

Concise Technologies

Concise Technologies

Concise Technologies provide specialist IT and telecoms solutions, support services, managed backup, disaster recovery, cyber security and consultancy to SME businesses across the UK and Europe.

Combitech

Combitech

Combitech is the Nordic region’s leading cyber security consultancy firm, with about 260 certified security consultants helping companies and authorities prevent and manage cyber threats.

Rafael

Rafael

Rafael has more than 15 years of proven experience in the cyber arena providing solutions for national security as well as commercial applications.

Bechtel

Bechtel

Bechtel’s Industrial Control Systems Cyber Security Laboratory focuses on protecting large-scale industrial and infrastructure systems that support critical infrastructure.

Bird & Bird

Bird & Bird

Bird & Bird is an international law firm with a focus on helping organisations being changed by technology and the digital world. Areas of expertise include cyber security.

LibraSoft

LibraSoft

Librasoft creates solutions to protect information from external and internal threats.

NWN Carousel

NWN Carousel

NWN Carousel delivers AI-powered technology solutions for the modern workplace. From unified communications and intelligent infrastructure to robust cybersecurity.

Guernsey

Guernsey

Guernsey provides a wide range of engineering, architecture and consulting services to multiple markets, including cybersecurity consulting and CMMC certification.

Deutsche Gesellschaft für Cybersicherheit (DGC)

Deutsche Gesellschaft für Cybersicherheit (DGC)

As a leading provider of cyber security, DGC supports companies in taking advantage of the opportunities offered by the digital transformation – and in minimizing the associated risks.

Cyphershield

Cyphershield

Cypershield is a Security and Smart Contract audit company providing professional smart contract auditing services for varied Crypto projects.

St Fox

St Fox

St. Fox is a leading consultancy helping enterprises secure their Cloud, Data, endpoints, and applications.

Trustmi

Trustmi

Trustmi is a leading fintech cybersecurity solution designed to prevent financial losses from fraud and errors, 24/7.

QRC Assurance & Solutions

QRC Assurance & Solutions

QRC is a PCI QSA, QPA, ISO accredited, CPA and CERT-IN empanelled organization with vast experience in conducting certification, regulatory audits, pen testing services, training and more.

Western Balkans Cyber Capacity Centre (WB3C)

Western Balkans Cyber Capacity Centre (WB3C)

WB3C is a programme founded by France, Slovenia and Montenegro with the mission of building a secure and connected Western Balkans region through enhancing its cyber capabilities and resilience.