Skip to main content

Vulnerability in Cisco Webex and Zoom may expose online meetings to snooping

 

Cequence Security’s CQ Prime Threat Research Team discovered of a vulnerability in Cisco Webex and Zoom video conferencing platforms that potentially allows an attacker to enumerate or list and view active meetings that are not protected.


The web conferencing market includes nearly three dozen vendors, some of whom may use similar meeting identification techniques. Although the CQ Prime team did not test each of these products, it is possible they could be susceptible as well.

Prying-Eye vulnerability

The Prying-Eye vulnerability is an example of an enumeration attack that targets web conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality or not assigning a password is followed, then the bad actor would be able to view or listen to an active meeting. If a user has chosen the option of configuring a personal meeting ID to simplify meeting management, a bad actor can store that information for future snooping activity.
“The Cequence finding highlights the fact that APIs are a growing attack surface and that APIs can be exploited when not properly secured. Organizations are struggling to figure out how to protect their APIs and often use the wrong technology to secure them, such as API gateways, web application firewalls or nothing at all. With Akamai recently announcing that 82% of their CDN traffic is API traffic, and with the average organization running over 600 APIs, there’s a clear and present danger with APIs that organizations need to address,” said Alissa Knight, Senior Analyst with Aite Group.

Enumeration attacks

Any application, not just video conferencing, that uses numeric, or alpha-numeric identifiers, is susceptible to an enumeration attack technique. The fact that web conferencing end users have a tendency to either disable or ignore security functionality for whatever reason has significant business ramifications.
“Security of all types, from traditional network level to user best practices, is an increasingly high priority for corporate boards and ensuring web conferences are secure should be common practice. As a board member, if for example we are reviewing quarterly financials and future looking forecasts with the executive team and the meeting is compromised due to a vulnerability like this, a bad actor would be able to eavesdrop on the web conference, gaining insider information,” said Mark Adams, Board Member at Seagate Technology PLC and Cadence Design Systems.

API as a target for automated attacks

The use of an API as a target for automated attacks is increasingly common, driven by mobile device ubiquity and the move towards modular applications where APIs are used as the foundational elements of the application business logic.
“In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community,” said Shreyans Mehta, Cequence Security CTO. “In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities.”

Addressing the vulnerability

The CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings after the initial discovery in July 2019.
Both Cisco and Zoom have posted advisories to their customer base with steps on how to address this vulnerability.
According to the Cisco Product Security Incident Response Team (PSIRT), “We have issued an informational security advisory to provide our customers with the information they require. Notably, the most effective step to strengthen the security of all meetings is to require a password – which is enabled by default for all Webex meetings. Cisco PSIRT is not aware of any malicious exploitation of this potential attack scenario.”
“Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature. Zoom hosts can also choose to protect their meetings and webinars via password. Passwords are now enabled as the default setting for Zoom meetings, but as is true of other security options, meeting hosts are free to choose security settings that are most appropriate to the sensitivity of their meetings,” said Richard Farley, CISO of Zoom Video Communications, Inc.

 Article Credits: https://www.helpnetsecurity.com/2019/10/01/prying-eye-vulnerability/


Comments

Popular posts from this blog

Ransomware's Dangerous New Trick Is Double-Encrypting Your Data

  Ransomware groups have always taken a more-is-more approach . If a victim pays a ransom and then goes back to business as usual-hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best , which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not act...

Babuk ransomware is back, uses new version on corporate networks

  After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. The criminals are currently using a new version of their file-encrypting malware and have moved the operation to a new leak site that lists a handful of victims. Gang’s still in the game The Babuk ransomware group became known at the beginning of the year but the gang says that their attacks had started in mid-October 2020, targeting companies across the world and demanding ransoms typically between $60,000 and $85,000 in bitcoin cryptocurrency. In some cases, victims were asked hundreds of thousands for data decryption. One of their most publicized victims is the Washinton DC’s Metropolitan Police Department (MPD). This attack likely pushed the threat actor into announcing its retirement from the ransomware business only to adopt another extortion model that did not include encryption....

Microsoft Teams Phishing Attack Targets Office 365 Users

  Up to 50,000 Office 365 users are being targeted by a phishing campaign that purports to notify them of a “missed chat” from Microsoft Teams. Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials. Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic  — making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday. “Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis . The initial phishing email displays the name ...