A contest that allows white-hat cybersecurity professionals and groups to compete to discover bugs in widely used software and services was recently held. The contest was called Pwn20wn, and it discovered a zero-day vulnerability exposure in Zoom. The vulnerability “can be used to launch remote code execution (RCE) attacks. (zdnet.com, 2021)
“The researchers from Computest demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. [However, since] Zoom has not yet had time to patch the critical security issue, the specific technical details of the vulnerability are being kept under wraps. However, an animation of the attack in action demonstrates how an attacker was able to open the calculator program of a machine running Zoom following its exploit.” (zdnet.com, 2021)
Zoom thanked the researchers for their discovery, and did note that they were already working on repairing elements of the vulnerability. Stating, the company was “working to mitigate this issue with respect to Zoom Chat.” (zdnet.com, 2021) And that “the attack must originate from an accepted external contact or be a part of the target’s same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust.” (zdnet.com, 2021) Finally, it was noted that in-session Zoom meetings and Zoom video webinars did not appear to be affected at this time.
If the Zoom vulnerabilities don’t give you pause, maybe the fact that 533 million Facebook users’ phone numbers and personal data was noted to have been leaked online will. According to Business Insider, “a user in a low-level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free.” (businessinsider.com, 2021)
The stolen and posted records were sampled and indeed validated as true user information. “A Facebook spokesperson told Insider that the data had been scraped because of a vulnerability that the company patched in 2019.” (businessinsider.com, 2021)
How it Could Affect You:
Working from home has become the new normal for many companies. For some, this is a permanent transition, and for others, it is still in place at least for the foreseeable future. This transition has required the adaptation of Zoom and other video conferencing into the everyday work environment. Facebook is used by billions of people. Be it for personal or professional usage, the social site gets a lot of traffic. The realities of how popular and unavoidable both sites and software are, unfortunately, leads to advanced risk and exposure to these kinds of hacks and vulnerabilities from both an individual and a company level.
The discovered Zoom vulnerabilities can allow hackers into your company Zoom accounts without the assistance or manipulation of your employees. The Facebook hack can allow any average Joe with malicious intent to pretend to be you, use your stolen information, rest your passwords and emails, and lock you out of your personal and company Facebook pages permanently.
Hodgson Can Help:
Hodgson Consulting & Solutions specializes in securing data and information loss prevention for companies with multiple locations and/or a remote workforce. We offer full solutions for your IT needs, not just quick or Band-Aid fixes. Honestly, with the rate of and variety of recent wide-scale hacks, happening to software used popularly amongst most businesses, Band-Aids just simply won’t get the job done. Your business needs more! Hodgson Consulting & Solutions can provide the exact security solutions and IT best practices for your business. Contact us to receive a FREE Dark Web Scan and also learn more about our Managed Security Service Plans. Sign up below for your FREE Dark Web Scan today!