Hackers have a new favorite topic of conversation on underground forums: How to obtain – and leverage – valuable credentials for Zoom, Skype, Webex and other web conferencing platforms increasingly used by remote workers.
That’s what Etay Maor, chief security officer at IntSights, has discovered over the past few weeks in his examinations of various underground forums. In his investigations, he’s found troves of recycled Zoom credentials being shared, starting with 2,000 credentials a few weeks ago, and continuing to this week with the discovery of multiple databases uncovered in new, Tuesday research. Maor’s discoveries are similar to those of other researchers, who have previously found as many as 500,000 credentials being sold (for less than a penny each) by cybercriminals. Beyond the trade-off of credentials, underground forums are also abuzz with discussion around launching credential stuffing attacks, phishing campaigns, DDoS attacks and data exfiltration attacks against remote workers – painting a grim picture for users of web conference platforms who don’t stay up to date with the best security practices.
Learn more about what Maor’s investigations into underground forums have revealed about how credentials are being uncovered, shared and leveraged to attack remote workers, in this week’s Threatpost podcast.
Download directly here or listen to the podcast below.
Below find a lightly edited transcript of the podcast.
Lindsey O’Donnell Welch: Hi, everyone, welcome back to the Threatpost podcast. This is Lindsey O’Donnell Welch and I’m joined today by Etay Maor, the chief security officer at IntSights. Etay, thank you so much for coming onto the show today.
Etay Maor: Thank you for having me. Glad to be here.
Lindsey: It’s been an absolute whirlwind of a month for companies who have been moving their workforces online and remote. And along with this heavy shift over to remote work, we’re also seeing a higher usage of platforms like Zoom, like Cisco WebEx, like Skype. And of course, with more people using these conferencing platforms, cybercriminals are all over them as well, whether it’s for phishing or stealing valuable information or other malicious purposes. So Etay from your end, you’ve been looking at underground forums, which is always helpful in that it sheds light on what type of data cybercriminals are looking for, as well as what they’re hoping to do with that data. So tell us a little bit about what you’re seeing in these underground forums right now.
Etay: Right. So actually, one of the first things that we started seeing in terms of the collaboration tools, is we monitor the deep and dark web and one of the things that we look for is to see what type of discussions are there; actually numbers, how many times specific tools and technologies are being mentioned. And what’s interesting is we saw in different forums where criminals were talking, [they] were not talking about any vulnerabilities against targeting Zoom, WebEx and all these conferencing tools. And all of a sudden in January it started climbing and really spiking in March. So it really showed us that the heightened interest that cybercriminals have in collaboration tools. Now, with the current situation, what’s significantly changed is that the entirety of the workforce is working from home, making them even more vulnerable to attacks, because people who work from home don’t have all the protective mechanisms and software and different shields that you get when you work from “inside the the wire,” and so criminals saw the obvious opportunity here to target people at home and target these collaboration tools, that a lot of these companies… have not used before.
Lindsey: Yeah, definitely. And that that does make sense because of just kind of the widening installed base for these different platforms. Now, a few weeks back, you had found that there were more than 2,000 compromised Zoom credentials that were missing being shared on underground forums. And this week, you also came out with a new discovery that multiple other uncovered databases are being shared as well. Now, can you tell us a little bit more about what specifically is being shared here in terms of the specific data?
Etay: Sure. So there have been multiple databases, not just the one that we we uncovered with the 2,000, there are several other significant, pretty large, databases that have been shared. And those credentials include a username and password, in this case, it was for Zoom accounts. In some cases, it also included information like the host key so the password that the owner has, and his virtual room, so the URL to his virtual room. Now because of the fact that the information in the database was not homogeneous, so it was it was different. Some of them were only username and password, some of them were more than that. It pretty much was clear that this was not as a hack into Zoom, nobody stole Zoom’s database. And after further research, what we found out is that the attackers are using old username and passwords, and trying out credential stuffing attacks. What do I mean by credential stuffing attacks? What the attackers are doing, they’re going into old databases, some of them is oldest from 2012, and 2013. You can find these databases in a lot of different underground forums, in some cases, even on the clear web. And what they do is they take the email and passwords from different hacked databases, and they just test them automatically against in this case, again, it was Zoom. And if somebody happened to use the same email and password on a certain application that was hacked in the past on Zoom as well, then the attacker would get a response from the Zoom website saying this username and password are legit, and would reply back and so they collect all these positive replies and compile a new database of Zoom’s specific username and passwords. And they don’t even bother selling it. They’re just sharing it in the underground.
Lindsey: Mm hmm. Yeah. I mean, that was something else I wanted to mention, you know, this concept of sharing as opposed to selling. Why might a cybercriminal be doing that? Is it just to show that they’re able to or what’s kind of the purpose there?
Etay: Yeah. So you have to keep in mind that the criminal underground is a highly collaborative ecosystem. In fact, in some of these forums, if you even if you are able to get in them, they will kick you out unless you buy something, sell something or collaborate and share information. And so in many cases, these types of sharing are, as you mentioned, just to show that I can, in other cases, just to get some, some credibility with other forum members. And in other cases, it is really just to collaborate and “hey, you can use this for free.” It doesn’t take a lot of effort for them to create these databases. Unfortunately, they’re very good at communicating, helping each other out. I mean, I’ve seen some underground forums where I’ve seen different threat actors from countries which are war with each other, and they collaborate because there’s money at the end of the day to be made. So yeah, it’s simply out there for free.
Lindsey: Can you talk a little bit about what kind of impact that this access to these credentials gives for cybercriminals? I mean, what kind of malicious activities would this help cybercriminals carry out?
Etay: So in the case of Zoom, it applies to also other collaboration tools, but let’s take the Zoom example, if an attacker has a username and password to a company’s Zoom account, I can think about it in three different layers of aggression that he can approach this layer number one is more around what we’ve seen, like Zoom bombings, just go on to a meeting, and blast music or videos and annoy everybody, like a denial of service attack. Pretty low grade stuff. More delicious than that is potentially you can use that username and password to join a meeting. Let’s say 5, 10 minutes after it started. Hopefully, we can just try and access the meetings. And usually if somebody is already in a meeting, they won’t notice that a new person came in, especially if like there’s a presentation in full screen mode, and you can just eavesdrop. So you can use this to eavesdrop on company meetings. And I think the more aggressive approach to use this is similar to what we call business email compromise. You can use this this credentials to impersonate somebody within the company. So potentially you could ask somebody to send money or maybe send you a presentation or some files. So you can impersonate a new social engineering technique to really spy and collect information from from the enterprise.
Lindsey: Right. And it’s interesting that you bring it up because obviously Zoom bombing or kind of the DDoS angle there has been garnering widespread news coverage, and rightly so in certain cases. But I would say that the other two types of attacks that you mentioned, which is kind of the social engineering purposes and the access to the sensitive files or data are very serious ones as well and and even a little more serious there. Now, one interesting development that you had mentioned in your research was several popular cybercrime forums had actually – the administrators had actually decided to ban any user from discussing or selling Zoom credentials and attacks. So can you talk a little bit about what you were seeing there and kind of why this is happening?
Etay: Yeah. So we have seen this type of activity by them in the past where they banned certain discussions if they thought that it would get them negative press. For example, almost all of these underground hacking and cybercrime forums ban any form of for example, pedophilia, which you know, is understandable. And so there are certain rules, it’s not a complete mayhem in these forums, there are administrators, there are moderators and they want to keep the discussions clean, so to speak, you know, only only crime focused. Now, if they get too much attention in some cases, like this case, this specific forum was quoted in the media and they didn’t like the spotlight shining on them. And so they’re now banning and any discussion around this specific topic, because you know, they don’t want to be in the media. They don’t want to get this this coverage. We’ve seen this in other forums. It’s sometimes technology based, in some cases it’s regional based, for example, it’s a well known rule that Russian criminals don’t attack Russia. I think it’s pretty obvious why as well. So they do have these limitations and these rules and guidelines in different forums based on what you’re allowed or not allowed to do.
Lindsey: And in terms of other types of credentials from other types of collaboration apps, are you seeing anything that either different or the same in terms of you know, Slack or Skype or WebEx or some of the other ones?
Etay: So we’ve definitely seen discussions around vulnerabilities and exploits against WebEx. We’ve seen phishing attacks targeting WebEx as well. I’ll tell you what really kind of, doesn’t worry me, but where I think this is going, the fact that the attackers are now automating their attacks and using these credential stuffing attacks to recycle old passwords and test them on on these applications. This is not a new technique. But since now everybody’s working from home. And even when things calm down and we start going back to workplaces, there’s still going to be a change. A lot of people still continue working from home, a lot more people are going to be using these collaboration tools. And I think we’ll see a lot more of these types of, “hey, let’s see if the old username and password work on these other applications.” And for me, as a security researcher, we’ve been saying this for a long time in the security industry, you need a strong password, but don’t make a strong password the same one over and over and over again, because that makes it inherently weak. It doesn’t doesn’t matter how long it is, if you reuse it, then the attacker can try and use it on other applications. And unfortunately, it’s working for them right now. So I think we’ll see more of these types of attacks regardless of the collaboration tool. They’re going to try to use it and and get access.
Lindsey: Right, yeah, it kind of defeats the purpose if you have a strong password but then you’re using it on every single one of your platforms.
Etay: Yeah. And I get it. I know it’s hard to remember these passwords and, there are solutions to that, you have things like password wallets, but not everybody wants to use a password wallet. So I get that it’s it’s complicated, but we have to understand that there are risks involved in that. And if I can add another thing here is there’s also stuff that can be done proactively to help against these types of attacks both both from the application developer side, as well as from our side. For example, if a certain service offers you two-factor authentication, use it. That will help you because the attacker when he tries to log into your account won’t be able to overcome the two-factor authentication, the one time password challenge from the vendor, the software vendor side, if you’re developing such an application, say like Zoom, if you force some sort of CAPTCHA during the login process, then these automated attacks can’t happen because they won’t be able to unlock the CAPTCHA question and even try the username and password. So there are things that we can do. But we just have to put a little bit of extra effort into it.
Lindsey: Right, I was actually just about to ask you know if there any further security precautions or measures that you would recommend, not just for Zoom users, but just as best practices kind of across the board.
Etay: Yes. So several recommendations going from general ones to the applications. First of all, let’s start with basic security hygiene. Make sure your system is patched and up to date. A lot of vulnerabilities and exploits utilize the fact that people don’t update their software and so they can attack old software versions, so make sure everything is patched, is up to date. Also, if your company provides you with any security measures, don’t be the hacker that overcomes them. I’ve already heard discussions from different people saying oh, we have a VPN but we’re not going to use it, it’s too slow, no, that really helps in certain types of attacks. So make sure that you utilize the technologies that are given given to you by your organization. Of course, also, if you’re working from home, don’t use your personal computer if somebody assigned a laptop to you because that laptop may have some additional security capabilities that your personal computer does not have. Now, if we move from the device side to the application, then yes, utilize if you have the option of using two-factor authentication, one-time passwords, use that, there’s nothing 100 percent proof that I’ll tell you that once you use it, 100 percent of your the attacks will stop. But what it will definitely do is it will not make you the lower hanging fruit for the attacker. Because overcoming a username and password versus overcoming a username and password and a one time password is a significant difference. So do use these extra capabilities. And one more thing. When you install any new software, when you install any new hardware in your house like a router, take the couple of minutes to sit down and look at the security settings. A lot of these applications, including some of the ones that we’ve discussed, there, there are security options, but they’re very lax. If you do the regular installation, go in there and make sure that you shut down things that you don’t feel comfortable with. When you install a home router, make sure that you change the default password and maybe close down some things that shouldn’t be open. Again, it will not bulletproof you for everything, but it will make you a harder target.
Lindsey: Right. Yeah, those are really good points, especially as more employees are going remote and working remotely. So before we wrap up, I just wanted to ask, is there any other takeaways that you’re seeing in terms of trends on the underground forums that you’re looking at, that we should kind of be on the lookout for as it relates to remote work and certain threats that remote workers may be facing?
Etay: I think we should just be aware that there is a very lively and informative underground community that talks about these things that shares information, they post the different articles you see on mainstream media, and they discuss, how to take advantage of it. One of the first indications, it was actually very early in January, somebody on the forum said, “Hey, this COVID-19 situation looks to be getting bigger. Does anybody have a phishing template that I can use that will say it’s a coronavirus website that you can check if how many people have been infected?” So they started very early, about three months ago already designing these things. These kinds of opportunities don’t go over their head, they see them and they utilize them. So please be aware of these types of threats. Be aware that there are bad guys out there trying to take advantage of it, and if there is a doubt, if you see an email, a piece of software for your phone or for your PC, that looks even remotely not right don’t click it. Take another minute to do some checks and look around and make sure that it is indeed legitimate because there are those people out there who are actively trying to target.
Lindsey: You know, I know that cyber criminals are usually on top of, you know, tax filing season or elections or whatnot when it comes to phishing, but it really seems like they’ve doubled down on everything that’s happening with coronavirus or with you know, financial stimulus packages. And in this case, like Zoom and some of the other ones it doesn’t seem like this is going to be going away anytime soon.
Etay: No, they have an opportunity, they are fully utilizing it. You mentioned the the stimulus package, they have started discussions around that as well. They couldn’t lead a good opportunity to get away from their hand. And I mean, the fact that people have a lot of fear when it comes to coronavirus, who is infected and what are the numbers, they of course try to take advantage of it and utilize it for making money and hacking into accounts.
Lindsey: Right, well, something to be on the lookout for from the defensive side. So, on that note, Etay thank you so much again for coming on to the Threatpost podcast to talk a little bit about what you’re seeing in terms of collaboration platform credentials on underground forums.
Etay: Thank you very much for having me.
Lindsey: Great. And to all our listeners. Thank you for joining us today. If you’ve liked what you’ve heard here today, be sure to share this episode on social media and catch us next week on the Threatpost podcast.
Also, check out our podcast microsite, where we go beyond the headlines on the latest news.