While cyber security has always been an important element of the technology industry, it is becoming ever more pertinent because of the risk landscape that COVID-19 has introduced into the workplace. Unsecured networks and unencrypted devices create a perfect storm in a rather large teacup that cyber criminals look to take advantage of.
The risk landscape is massive and is often something that employees are not aware of. This means that there is a significant amount of responsibility that rests on the shoulder of IT departments and Chief Information Officers as they try to mitigate what has become a Wild West Scenario in some companies.
In the midst of all of the risk in the industry, Zoom has taken quite a beating and has become the centre of many cyber-attacks.
An article by zdnet.com points out that hackers have targeted remote workers with fake Zoom downloaders. Cyber attackers have bundled a version of the popular video-conferencing software alongside a backdoor - but you can avoid it by being careful about where you download from.
The article points out that the coronavirus pandemic and resulting lockdowns have led to a rise in remote working, meaning more people are using video-conferencing tools such as Zoom to communicate with colleagues, as well as socialise with friends.
The article adds that the need to work from home is something cyber criminals are attempting to take advantage of and now researchers at cybersecurity company TrendMicro have uncovered a new cyber-criminal campaign attempting to exploit the current circumstances to trick remote workers into installing RevCode WebMonitor RAT.
The researchers stress that the compromised software doesn't come from Zoom's own download centre or any official app stores – rather the downloads come from malicious third-party websites. It's likely that victims are drawn towards the infected downloads by malicious links sent in phishing emails and other messages.
Once the file is downloaded, it runs an installer that delivers the video-conferencing software, as well as executing the WebMonitor remote access tool.
The article points out that the installation of the malicious tool on comprised Windows systems gives attackers a backdoor that allows remote observation of almost any activity that takes place on the machine. That includes keylogging, recording web cam streams and taking screenshots, all things that can be used to steal sensitive personal information.
However, WebMonitor will terminate itself if executed in a virtual environment – a method of defence in an effort to prevent discovery and examination by security researchers. The RAT has been available on underground forums since mid-2017, but the commodity tool is still proving to be successful.
The article points out that, in this case, the way in which it's bundled with a version of Zoom is a means of avoiding suspicions from the user – if they installed the software and it didn't work, they might suspect something was wrong.
But there's still a tell-tale sign that there could be something suspect about the download – the malicious sites push Zoom version 4.6, but now the official Zoom software is running version 5.0, so the version used in the attack is now out of date.
The article adds that packaging malware inside a downloader for legitimate software is a regular tactic for cyber criminals and Zoom is far from the only application that has been used – but attackers are increasingly turning to it because of how popular it has become in recent months.
The best way users can avoid falling victim to this kind of attack is by only downloading installers from official sources – and if you are sent a link to download an app, it's best to visit the official website and download it yourself.
We need to come to terms with the fact that, at the end of the day, people are lazy and will naturally gravitate towards an easy to use online tool more than they will gravitate towards using an application like Skype or Microsoft Teams despite the fact that the latter applications have better security features. This, and the fact that employees still have to attend meetings – virtual or not – has contributed towards the rising popularity of Zoom.
Cyber criminals are trying to trick Zoom users as the video-conferencing platform surges in popularity as a result of the coronavirus pandemic forcing people to work – and socialise – remotely.
March saw the number of daily Zoom meeting participants reach over 200 million, compared to 10 million in December, as people turn to the platform as a means of helping to adjust to life during the COVID-19 outbreak. In many cases, it's being used by people who are working remotely for the first time.
But Zoom's sudden growth in popularity hasn't gone unnoticed and cyber criminals are increasingly targeting users of the platform.
The article points out that, according to data from cybersecurity company BrandShield, the number of domains containing the world 'Zoom' hugely increased during March, with hundreds appearing every day by the end of the month. As many as 2,200 new 'Zoom' domains were registered in March alone, taking the total to over 3 300.
Researchers note that almost a third of these new websites are attached to an email server, which points towards the possibility that they're being used in phishing attacks to harvest login credentials from unwary users.
With remote workers expecting to be sent invites to Zoom conference calls, it's providing opportunities for attackers to send phishing emails containing links to phoney login pages that aim to steal the usernames and passwords entered – something that attackers could exploit to gain access to corporate accounts and to conduct further attacks.
"With global businesses big and small becoming increasingly reliant on video-conferencing facilities like Zoom, sadly, cybercriminals are trying to capitalise," Yoav Kren, CEO of BrandShield told ZDNET.
"Businesses need to educate their employees quickly about the risks they might face, and what to look out for. The cost of successful phishing attacks is bad for a company's balance sheet in the best of times, but at the moment it could be fatal."
The article points out that COVID-19 has become a key lure used in cyberattacks; not only are attackers using fake domains, but the subject has become highly common in phishing attacks. Messages claiming to be from healthcare professionals, logistics providers and others are being used in efforts to steal financial information, install malware and to commit other cyberattacks.
The article adds that the UK's National Cyber Security Centre (NCSC) has previously warned that, as the coronavirus outbreak intensifies, the volume of attacks looking to exploit it will increase and has offered advice on how to spot and deal with suspicious emails.
UK authorities are not just standing by and letting cyber criminals run rampant. An article by ZDNET points out that 2 000 coronavirus scammers taken offline in major phishing crackdown.
As the number of cyber criminals targeting remote workers grows, the National Cyber Security Centre (NCSC) has kicked off a new effort to encourage people to report suspicious emails in an attempt to crack down on fraudsters and phishing scams.
The article added that this has led to record numbers of organisations requiring people to work from home – and in many cases, those employees haven't had any previous experience of working remotely and could be unaware of some of the potential security risks.
Cyber criminals have been quick to pick up on this, with a string of attacks designed to exploit confusion around the sudden shift to home working to help steal passwords and login details or steal sensitive corporate information.
The article points out that now the NCSC, along with the Home Office, the Cabinet Office, the Department for Digital, Culture, Media and Sport (DCMS) and the City of London Police, has launched a 'Suspicious email reporting service' for members of the public to alert the authorities to potential cyberattacks – whether they're coronavirus-themed scams or something else.
If the message does contain suspicious links or addresses, then the NCSC says it will be taken down. The data will also be analysed to try to identify patterns and more quickly takedown new scam websites.
The article adds that this new initiative aims to build on the existing takedown services, which have already removed more than 2,000 online scams related to coronavirus in the last month, including 471 fake online shops selling fraudulent coronavirus-related items, 555 malware distribution sites, 200 phishing sites and 832 advance-fee frauds, where a large sum of money is promised in return for a set-up payment.
"Technology is helping us cope with the coronavirus crisis and will play a role helping us out of it – but that means cybersecurity is more important than ever," NCSC Chief Executive Officer Ciaran Martin told ZDNET.
"That's why we have created a new national reporting service for suspicious emails – and if they link to malicious content, it will be taken down or blocked. By forwarding messages to us, you will be protecting the UK from email scams and cybercrime."
"As we all stay indoors and spend more time online there is more opportunity for criminals to try and trick people into parting with their money," said Commander Karen Baxter of City of London Police.
"Law enforcement are working closely with government to ensure the public, and businesses, are as well-equipped as possible to fight online harms."
Stay cyber aware
The article points out that the email-reporting service has been launched in conjunction with a campaign that encourages people to stay cyber aware and make it as difficult as possible for criminals to steal and use personal or corporate information from home workers. The six tips – detailed in full on the NCSC website – are:
- turn on two-factor authentication for important accounts;
- protect important accounts using a password of three random words,
- create a separate password that you only use for your main email account;
- update the software and apps on your devices regularly (ideally set to 'automatically update');
- save your passwords in your browser; and
- to protect yourself from being held to ransom, back up important data.
Personal security is important too
One thing that COVID-19 has not changed is the debate between lawmakers and techies around end-to-end encryption.
The article points out that has not deferred the emotive debate between lawmakers and the technology industry over the future of end-to-end encryption. Governments led by the U.S., U.K. and Australia are battling the industry to open up “warrant-proof” encryption to law enforcement agencies. The industry argues this will weaken security for all users around the world.
The article adds that WhatsApp has proven the most willing, alongside parent Facebook, to fight for encryption in the courts. And so the platform will be massively buoyed by two surprise boosts this week. And that is equally important for the 2 billion users who rely on the platform to secure their messaging. On the assumption you’re among that number, this should really matter to you.
The article points out that while this debate has been raging for a year, the current “EARN-IT’ bill working its way through the U.S. legislative process is the biggest test yet for the survival of end-to-end encryption in its current form. In short, this would enforce best practices on the industry to “prevent, reduce and respond to” illicit material. There is no way they can do that without breaking their own encryption.
Once the platforms introduce backdoors, those arguing against such a move say, bad guys will inevitably steal the keys. Lawmakers have been clever. No mention of backdoors at all in the proposed legislation or the need to break encryption. If you transmit illegal or dangerous content, they argue, you will be held responsible. You decide how to do that. Clearly there are no options to some form of backdoor.
The article adds that EFF describes this as “a major threat,” warning that “the privacy and security of all users will suffer if U.S. law enforcement achieves its dream of breaking encryption.” And while all major tech platforms deploying end-to-end encryption argue against weakening their security, Facebook has become the champion-in-chief fighting against government moves, supported by Apple and others.
Most Facebook content is not actually end-to-end encrypted, but it owns WhatsApp which is and has been for many years. WhatsApp popularized this level of security, and now carries more end-to-end encrypted messages than anyone else. The platform confirmed this week that it will continue to fight government attempts to change its security in the courts, ensuring that user security is protected.
The article adds that this confirmation came as parent, Facebook, took to the courts in its fight against Israel’s NSO, which it alleges hacked its users, planting spyware on the devices of select targets through WhatsApp. The irony here, of course, is that the security of those users was breached despite end-to-end encryption being in place. WhatsApp has patched several security vulnerabilities in recent months. This was one.
The article points out that the first surprise for WhatsApp came during the release of documents as part of those court proceedings. It transpires that FBI Director, Christopher Wray, once argued in favour of WhatsApp’s security when, as a partner with the firm King & Spalding, he “was hired to ‘analyze and protect’ WhatsApp’s software from a Justice Department effort to weaken its encryption in order to conduct wiretap.” The case was unrelated to this current one, but Wray’s name came up when Facebook was arguing for a conflict as regards King & Spalding’s involvement.
The article adds that the FBI has pointed out that as a lawyer, Wray was hired to advocate for his clients, not to proffer his own opinions. But, even so, the optics are awkward, given that Wray is now a strong advocate of mandated government backdoors. And in that same vein, there has been another surprising twist in favour of end-to-end encryption in the last few days from an unlikely source.