With millions of Americans and their employers adapting to government-mandated stay at home orders and social distancing advisories, it’s no surprise that we’ve seen a huge surge in the popularity of collaboration tools that allow businesses and consumers to stay connected with the outside world. Apps like Zoom, Slack, Microsoft Teams and WebEx have seen their user numbers skyrocket since businesses started to enforce work-from-home decrees to flatten the curve. In fact, Zoom added more active users (2.2M) in January and February alone than it did in the entirety of 2019. However, this rapid ascension has also spotlighted severe security vulnerabilities that adversaries have started to pick up on.
By Andrew Homer, VP of Security Strategy at Morphisec
Why? Most adversaries operate on a business model that will be familiar to those in the corporate world; they spend their time building exploits for tools that are widely used to maximize their return on investment and thus their profits. Now that collaboration tools like Zoom, Slack and WebEx are increasing in popularity, threat actors have started to focus on them. This is particularly concerning because collaboration app software providers often are not organized around quickly patching zero-days and hardening their software, largely because they have not needed to be before now. And it shows.
No less than Google, SpaceX, and even NASA, recently banned their remote employees from using Zoom. Shifts from such prominent organizations have shined a spotlight on the widely popular video conferencing tool’s security flaws. While “ZoomBombing” trolls can certainly be embarrassing, those are more pranksters than serious threat actors. What those news stories do, however, is highlight Zoom’s vulnerabilities in the face of sophisticated ransomware, zero-day attacks, and malware targeting their current weaknesses.
Just a couple of weeks ago, Morphisec Labs researchers presented a discovery that the Zoom app itself can be used as a delivery tool for recording and stealing information. A sophisticated attack using a trusted collaboration application like Zoom is particularly alarming because it is trusted, signed, and perhaps even whitelisted in some cases. As a result, an attack via Zoom likely will not flag any alarms on detection logic that might be thrown with other recording software. Traditional antivirus software would have no remedy for defending against this type of breach. This is just one example. Another is that Zoom is vulnerable to a classic Windows ‘UNC path injection’ revealed by a former NSA hacker, which was exploited to allow remote attackers to steal victims’ Windows login credentials or take control of the computer to run commands.
Three Critical Cybersecurity Gaps
Although Zoom is the video conferencing app most often in the news right now, its security weaknesses are not unique amongst collaboration apps. If anything, the only reason Zoom is in the news for exploits is because of its exponential user growth; threat actors see the higher user counts and likely decided to focus on building exploits to cash in. With that in mind, let’s go through what three of the biggest cybersecurity gaps are right now with collaboration tools like Zoom.
1. Collaboration Apps Cannot Patch Vulnerabilities Fast Enough
For the past 20 years, Microsoft Word and Adobe Flash have been two of the most targeted applications for cybercriminals. The reason is that these two pieces of software are ubiquitous, which appeal to financially-motivated cybercriminals looking to get the best ROI for their efforts. As a result, Microsoft and Adobe both have armies of security experts on staff to plug vulnerabilities as they appear.
With spending on collaboration applications predicted to exceed $48 billion by 2024, it’s no wonder that cybercriminals see dollar signs in this segment. Unfortunately, collaboration apps are not structured to quickly patch security flaws. The reason is simple: they haven’t been targets until now because their user numbers weren’t high enough to attract threat actors. The other problem facing collaboration app vendors is that there is a severe shortage of security experts worldwide and there are not enough tools to quickly and efficiently find flaws in these tools.
Exploiting collaboration apps can lead to remote code execution, which allows the adversary to run their malicious code on the infected machine. For example, Slack recently experienced an exploit that allowed the adversary to completely exfiltrate messages, contact lists, and every other form of data tied to the messaging application. Zoom has also recently reported several zero-day attacks, including the UNC path exploit and one that enabled attackers to install malware on targeted machines.
With unknown zero-days making up 80% of successful attacks, these widely used tools and their users are relegated to a helpless position.
2. Higher Risk of Browser-Based Attacks
Coupled with risky patching processes is a much higher risk of browser-based attacks, especially for applications like WebEx, Go to Meeting and Zoom that are accessible via a browser. This vulnerability exists because video conferencing and collaboration tools require their own code to be loaded into the browser to support their functionality. As a result, the risk of attack remains high since these vendors do not yet heavily invest in secure coding. This can lead to an attacker abusing the loaded code to eventually remotely execute code on behalf of the browser.
While sandboxing within some browsers may make this method better than relying on the applications, a recent report from Positive Technologies found that in nine times out of 10, hackers are able to easily attack website visitors and a whopping 82% of web application vulnerabilities lie in the web application’s source code.
This high risk of vulnerability via the web browser should give any IT security professional pause. Browser attacks such as drive-by downloads and browser-based phishing are at high risk with collaboration apps. This is especially true today given how exposed many of these applications are to threat actors and the rise in WFH employees.
3. Increased Risk of Successful Social Engineering Attacks
Phishing emails are the most used malware delivery mechanism today. In fact, internal data from Morphisec illustrates phishing campaigns are skyrocketing as malicious parties look to take advantage of a captive audience of work-from-home employees. Between March 8 and April 12, Morphisec saw phishing and adware attacks soar from just 2,000 dt per week to more than 90,000 dt per week.
Collaboration apps, in particular messaging tools like Slack and Microsoft Teams, provide new avenues for these bad actors to deliver phishing attacks and act upon them, while video conferencing apps especially run the risk of being used for social engineering. A successful attack in this context could result in credential-stealing on a remote employee’s machine and, if the user is an admin, the attacker could further their goals in a more streamlined manner.
Of course, adding fuel to the fire is the almost 2,000 domains containing the word ‘Zoom’ that have been created so far this year — even though Zoom isn’t the only target. Enterprises need to be wary of a magnitude of new phishing websites that have been developed to exploit vulnerable WFH employees and even parents homeschooling their children.
Attackers can use phishing tactics on remote employees to have them install a remote desktop tool, which can then be leveraged to deliver a payload. Just a few short months ago, it was discovered that ConnectWise Control was being abused to deliver the Zeppelin ransomware. So as business operations become virtual, safe browsing behavior becomes more important than ever.
How to Close Collaboration Apps’ Gaps and Counter Higher Security Risk
The world is in the middle of the greatest work-from-home experiment of all time as a result of COVID-19, and collaboration applications will only grow in importance as many enterprises recognize the financial benefits of remote working. This presages a corresponding increase in security risk, which CISOs and other security executives need to account for. To close the security gaps in collaboration apps, companies should:
- Implement basic security hygiene measures such as two-factor authentication for password protection where possible. Also, make sure to standardize on a single video collaboration tool and set it as a hard-line policy among employees. This will help prioritize patching efforts, as well as how to plan for upgrading legacy systems and applications. This is often only a minor inconvenience for employees and goes a long way to prevent breaches.
- Deploy more proactive defense mechanisms that can protect against malicious use of collaboration applications, unlike traditional antivirus protection. Moving target defense is one example of this type of solution, which morphs application memory and protects collaboration apps from cyberattacks by changing the structure of the application on the endpoint. This changes the targeted application from a known to an unknown, complicating the job of the hacker as suddenly they are unable to identify the target application. This also instantly protects collaboration apps against the in-memory exploits, new zero-days, fileless attacks and evasive malware that we expect to proliferate in the coming month.
- Harden endpoints in a deterministic and automatic way to ensure full business continuity against an attack. This is a core feature of moving target defense, enabling security teams to protect applications without human intervention. This makes it easier for remote workers to access the collaboration tools they need when they need them.
Protecting Enterprises from the New Zero-Day Frontier
Despite their importance for enterprises, the reality is that collaboration applications are often unequipped for prime time. Slack, Zoom, Microsoft Teams, WebEx, Go to Meeting, and other tools all have their security flaws and will continue to be exploited now and in the future.
Compared to most other enterprise applications, they simply lack robust security posturing, making them particularly vulnerable to zero-day attacks and evasive malware. But they need to be protected more effectively against the worst cyberattacks. And this is what moving target defense excels at, including automatic hardening of remote endpoints that enable work from home employees to access the collaboration apps they need to be productive.
Moving target defense looks tailor-made for this moment, but the protection it provides only lasts as long as the collaboration apps remain in the company toolkit. Far from being an asset just to survive through COVID-19, MTD is — and should be — the centerpiece of an effective, enduring endpoint security strategy.
About the Author
Andrew Homer is VP of Security Strategy at Morphisec and has numerous years of hands-on experience creating strategic technology partnerships and leading teams through growth phases. Prior to Morphisec, he was Director of Business Development and Technology Alliances at RSA, where he led the company’s technology ecosystem, strategic alliances and embedded OEM partnerships. Homer has also held business development positions at Dell, EMC and VMware.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.