As more companies use Zoom videoconferencing to meet and collaborate amid COVID-19, attackers are turning their attention to ways they can target the platform. Many large companies are asking:
- From a settings and best practices perspective, what can companies do to defend themselves?
Here are some suggestions. They are in order of importance/effectiveness as it relates to threat actor activity people are actually seeing.
- Problem 1: Attackers are brute-force guessing Zoom’s meeting ID.
- Mitigation A: Use passwords (even simple ones) for your meeting.
- Mitigation B: Enable one or more of the following settings:
- Require a password when scheduling new meetings.
- Require a password for instant meetings.
- Require a password for the Personal Meeting ID (PMI).
- Require a password for participants joining by phone.
- Mitigation C: Enable “Only authenticated users can join meetings.”
- Problem 2: Meeting ID with password or URL to meeting (with password) are posted publicly and disruptive people join.
- Mitigation A:
- Enable “Allow host to put attendee on hold.”
- Disable “Participants video.”
- Enable “Mute participants upon entry.”
- Disable sharing for all participants.
- Enable “Disable desktop/screen share for users.”
- Disable “Annotation.”
- Disable “Whiteboard.”
- Mitigation B: Enable “Waiting Room.”
- Mitigation C: Disable “Virtual backgrounds.”
- Problem 3: Zoom renders UNC paths as clickable.
- Mitigation: Until a patch is available, prevent NTLM credentials from being sent to remote servers.
- Problem 4: Meeting attendees are broadcasting inappropriate content.
- Mitigation A: Allow the host to put attendees on hold.
- Mitigation B: Disable “Virtual backgrounds.”
- Problem 5: Attackers can see directory information for users logging in via non-corporate email domains.
- Mitigation: Restrict usage of personal accounts (particularly on uncommon hosted email domains).
This is a case where having security standards and policies to address all vendors and business applications will come in handy. Local system monitoring and alerting around Zoom-related network connectivity is worth analyzing, although you might not see much or be able to do anything about it.
One of the most important things is to get legal counsel and/or the organization's security committee involved for a review of legalese and related security issues.
From a purely security standpoint, Zoom does a decent job and has a number of security-related features, such as:
- Multifactor authentication (MFA)
- The ability to encrypt chat communications
- Password options for meetings
End-to-end encryption is actually very difficult to do in Zoom’s environment, based on how the interaction works. I’m not saying it’s impossible, because GoToMeeting employs it. But a solid policy and stance around privacy would go a long way, such as having no ability for Zoom personnel to eavesdrop or intercept Zoom customer communications.
To Kevin's point, the top issues happen when people fail to:
- Use a PMI.
- Create conference bridges with passcodes associated with them.
- Ensure the end-to-end encryption is enabled in the account (which only impacts chat sessions, not the video).
Users should set up waiting rooms and then lock the meeting once everyone has joined. Also, the host can restrict who can join a meeting by login or email domain.
Harden VPN, Video and IM Against Attacks Exploiting COVID-19, March 26, 2020
COVID-19 and InfoSec: What You Need to Know, April 1, 2020
Poll: Likely COVID-19-Themed Attack Vectors, March 17, 2020
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.