Research unveiled this week at CPX 360, a security event hosted by Check Point, disclosed vulnerabilities discovered in Zoom’s enterprise video conferencing platform. Zoom issued a bevy of security fixes after researchers said the company’s platform used weak authentication that made it possible for adversaries to join active meetings.
Maya Horowitz, director of threat intelligence with Check Point Research, talked with Threatpost at CPX 360 about the recently disclosed vulnerabilities.
“The main takeaway for online conference platforms is that these companies are in charge of the security of their users and they need to work to secure these environments. Zoom added a password but other actions can be taken as well so that people can’t really abuse these platforms,” she said.
Beyond Zoom’s recent flaw, Horowitz also talked to Threatpost about the challenges of hunting down cybercriminals and making attribution, and the top threats she’s anticipating in 2020 – from ransomware to cloud-infrastructure attacks.
View the full interview below and subscribe to Threatpost’s YouTube Channel.
Below is a lightly-edited transcript of the video interview.
Threatpost: Talk about the recently-discovered Zoom vulnerability.
Maya Horowitz: So as part of our work in Check Point research, we aim at finding vulnerabilities in different popular applications and environments in order to work with the vendors and fix these vulnerabilities before threat actors can use them. So one vulnerability that we recently found was in Zoom. We were able to actually track the way that Zoom randomize their conference numbers and generate these numbers ourselves, and join many different videos or just different conferences that take place on Zoom. We couldn’t really choose which meeting we were going to join. But we did see some meetings of some very famous companies. And of course, we immediately reported it to Zoom and what they did is both to change the way that these numbers work, but also add mandatory passwords to our meetings so that people can’t really use this, this vulnerability right now.
Threatpost: What issues in web conferencing systems overall does this flaw highlight?
MH: So the main takeaway for online conference platforms is that these companies are in charge of the security of their users and they need to work really well to secure these these environments. So what Zoom did was to add a password, but other actions can be taken as well. So that people can’t really abuse these these platforms.
Threatpost: You do alot of work attributing various cyber attacks and campaigns back to various actors in the cybercrime community. When you look at cyber activity, what clues do you look for specifically to pin down attribution?
MH: So the work that we do, and where the threat actors are – that’s, of course, always a “cat and mouse” game. So we always need to find the new text that they’re conducting, and they need to make sure that we don’t find them. So it’s always deploying new technologies from both sides. And as part of that, it’s not just about finding the hacks but also about finding the hackers. So the threat actors now understand that we don’t only want to stop the attacks, but also to find who they are. And so they start to leave smoke screens so that we don’t find who they are or that we think that we found who they are. But actually, we are wrong. So while we look for artifacts like, like the language, the comments in the code were written in. So threat actors from China just might leave comments in Russian so that we get confused. So it’s always pretty hard for us when we find these clues to understand, is it real evidence that we can use or maybe it’s just an artifact left in there to confuse us. So it’s a matter of understanding the authenticity of these clues, and to finding a number of clues all leading to the same direction so that we can really feel comfortable with our attribution and not assume that we might be framing someone for someone else’s job. So it’s really a thin line there that we need to keep.
Threatpost: What are the biggest threats you anticipate in 2020?
MH: So I want to discuss three of the biggest attacks that we’re seeing today, which are ransomware, mobile attacks and attacks on cloud infrastructure. So ransomware [attacks] are actually becoming less and less popular today. So we see less ransomware attacks. But still, the attacks that we do see are becoming more and more aggressive. So these ransomware attacks are kind of, I like to call them “boutique attacks.” So they are attacking some very specific organizations that have lots of data and lots of money, which allows the threat actors to ask for a ransom as high as millions of dollars. And we see that that the numbers vary from, say $100,000, to a few million. So these attacks are becoming very significant. The other type of attack that’s very popular today and is becoming more and more popular every every month is mobile attacks. So while in the last few years we’ve been seeing that there are many adware [variants] for mobile. Right now the threat actors are getting more sophisticated and whatever malware we see for computers we now also see for mobile devices. So it means that even ransomware and of course banking trojans, and information stealers, all of them now have versions for mobile. And these versions are also available on the dark web, meaning that there are more and more threat actors who can actually use them. So these attacks are more severe and more popular. And last but not least, attacks on cloud infrastructure. So, threat actors understand that we as enterprises have started using this technology but haven’t adapted our security technology to the cloud environments. So they are using misconfigurations to actually steal information from cloud environments. These are all the large data breaches that we’re seeing today. And these attacks of course, when they happen, they are catastrophic because all of our data is in the cloud.