Zoom Security Alert: Top Tips to Shield Yourself from Cyber Threats

With the surge in remote work due to coronavirus precautions, online communication platforms have seen a significant uptick in usage. Unfortunately, this has also opened up opportunities for attackers to deceive users and compromise systems. Zoom, one of the most popular communication platforms, has become a prime target. Attackers are crafting fake Zoom meetings using domain names that include “Zoom,” tricking users into joining these meetings through social engineering tactics. The similarity in domain names makes these fake meetings convincing, with the ultimate goal of making users download malicious software from the fake platform.

Check Point reported that over 1700 domain names containing “Zoom” have been registered since the start of the pandemic, with 4% of these domains being suspicious. Malicious files with names like “zoom-us-zoom_#########.exe” and “microsoft-teams_V#mu#D_##########.exe” have been detected. When executed, these files install a malicious software called PUA:Win32/InstallCore on the target systems. (The # symbol in the malware name represents random numbers.)

Steps to Avoid These Attacks

Be cautious of emails and files from unknown senders.
Avoid opening unknown files and clicking on links in unknown emails.
Pay attention to similar domain names, spelling errors in emails and websites, and unknown email senders.
Ensure that products purchased online are from original sources.
Use an architecture that provides end-to-end protection against zero-day attacks.

Additionally, a critical ‘UNC path injection’ vulnerability has been discovered that endangers Windows credentials of Zoom clients. Attackers exploiting this vulnerability can obtain Windows usernames and NTLM hash values of passwords using the SMBRelay technique. The vulnerability arises from the Zoom application installed on Windows systems supporting the UNC file path that converts URLs into links. Attackers send a link like x.x.x.xfile to target users and wait for them to click. Once clicked, Windows credentials are obtained. No patch has been released for this vulnerability yet. It is recommended to use an alternative communication platform or access Zoom through a web browser until a patch is available.

Marriott Data Breach Affects 5.2 Million Customers

Marriott, an international hotel chain, experienced a data breach affecting approximately 5.2 million hotel guests. The breach involved the use of two employees’ credentials to access guest information. An investigation was launched, and the credentials were deactivated. The leaked information includes:

Guest contact information
Hotel guest names
Mailing addresses
Email addresses
Phone numbers
Account numbers
Loyalty point balances
Gender information
Dates of birth

Marriott stated that the investigation is ongoing and that account passwords, credit card information, and passport details were not accessed. They have set up a portal for guests to check if their personal information was compromised and are offering a free one-year subscription to the IdentityWorks personal information monitoring service for affected users.

Zero-Day Vulnerabilities Detected in DrayTek Devices

Two zero-day vulnerabilities have been detected in enterprise network devices produced by DrayTek, a Taiwanese company. These vulnerabilities affect DrayTek Vigor enterprise switches, load balancers, routers, and VPN gateway devices. The vulnerabilities allow attackers to perform remote “command injection” attacks, enabling them to monitor the enterprise network and create backdoors on network devices.

No patch has been released for the latest versions of DrayTek network devices. One vulnerability is found in the keyPath and rtick parameters in the /www/cgi-bin/mainfunction.cgi file, and the other is in the web server program /usr/bin/lighttpd. NetLab researchers confirmed that one group of attackers is using the vulnerability for espionage, while the other group is performing remote command injection attacks using the rtick parameter vulnerability. The second group has:

Created an SSH backdoor on TCP ports 22335 and 32459
Established a persistent web session backdoor
Created a user on the system with the credentials “wuwuhanhan:caonimuqin”

Users are advised to update their Vigor2960, Vigor300B, Vigor3900 software, and DrayTek switch software to the latest versions to avoid being affected by the security vulnerability.

Backdoor Installed on Thousands of MSSQL Servers

The Guardicore Labs team detected an attack targeting MSSQL servers since 2018, naming it Vollgar for easier tracking. Vollgar targets internet-exposed MSSQL servers, infiltrating those with simple username/password combinations and installing various malicious software, including remote access tools (RAT) and cryptominers. The attacker group incorporates the compromised servers into their botnet.

Guardicore reported that the attackers have successfully added approximately 2,000-3,000 database servers daily to their botnet in recent weeks. The affected servers belong to various companies in healthcare, aviation, IT, and telecommunications, located in China, India, the US, South Korea, and Turkey.

To check if your internet-exposed MSSQL servers are affected by these attacks, you can use the Powershell script provided by the Guardicore Labs team to detect Vollgar’s traces. You can download the script here.

To avoid such attacks, it is recommended not to expose your MSSQL server to the internet and to use strong passwords for your accounts.