Zoom Bombing Attack Hits U.S. Government Meeting

zoom bombing

A recent U.S. House Oversight Committee meeting was the latest victim of Zoom bombing, according to an internal letter.

A U.S. House Oversight Committee meeting was the most recent victim of a Zoom bombing attack, after the meeting was disrupted at least three different times by uninvited attendees.

The incident was disclosed in a recent internal letter from Jim Jordan (R-Ohio) to Carolyn Maloney (R-NY), chairwoman for the Committee on Oversight and Reform, which is the main investigative committee in the U.S. House of Representatives.

“In spite of the warnings by the FBI and media outlets, on April 3, 2020, you held a Zoom-hosted Member briefing on women’s rights in Afghanistan with the Special Inspector General for Afghanistan Reconstruction (SIGAR),” the letter said to Maloney. “During this important briefing, the session was ‘Zoom-bombed’ at least three times. The impact of hacking and malware on Member and staff devices is still being determined.”

The letter does not specify what the Zoom bombers did after they interrupted the meeting, or whether any sensitive data was accessed.

Jordan cited this recent incident, as well as China’s involvement with Zoom, as major security issues, and called for government officials to “immediately suspend any current or future use of Zoom systems for official committee activities and take immediate steps to evaluate the Committee’s internal cybersecurity preparedness to prevent hackers from accessing sensitive committee information through the Zoom platform.”

With the coronavirus pandemic  driving more organizations to “flatten the curve” by going remote – and thus using Zoom and other web conferencing platforms – Trolls are taking advantage of this by hijacking online meetings. Previous reports of Zoom bombing incidents have pointed to the trolls spreading hate speech such as racist messages, threats of sexual harassment, and pornographic images, which have reportedly driven meeting participants offline or forced meetings to be abruptly cancelled.

But for a government meeting, during which sensitive data may be shared, the stakes are higher than mere trolling. The issue of governments utilizing Zoom – and their knowledge around how to secure Zoom meetings – was hit with a media spotlight after UK prime minister Boris Johnson tweeted a picture of his Zoom meeting in which the meeting ID was visible.

Government officials are taking note of the threat.  The Senate Sergeant of Arms this week warned that Zoom posed the threat of “potential compromise of systems and loss of data, interruptions during a conference and lack of privacy,” according to the letter. Furthermore, the Senate Sergeant of Arms noted that no Zoom product was vetted or cleared for use by Senate offices.

Zoom bombing has been spiking upwards over the past few weeks, despite the FBI cracking down on the issue and warning that those who take part in Zoom bombing could face jail time. A recent report by ZDNet recently pointed to attackers gathering in online communities (such as Discord, Reddit and more) to share Zoom conference codes or make Zoom bombing requests against certain online classes, for instance. Many of these attackers are teenagers, according to a recent PCMag report, with some even live streaming their attacks on Twitch.

Zoom’s platform overall has also under fire for security and privacy shortfallings over the past month. Most recently, the Ministry of Home Affairs for India issued an advisory for those who want to use Zoom, saying it’s “not a safe platform.”

In the midst of this fallout, Zoom is taking steps to improve its security, including recruiting an industry heavy-hitter – former Facebook CISO Alex Stamos – to provide special counsel. Zoom has also sought to improve its bug bounty program, bringing on bug bounty expert and Luta Security founder Katie Moussouris to assess its bug bounty program. As part of these improvements, Zoom is introducing a new feature that lets users report Zoom bombers. This feature will be introduced next week, as a “Report a User” security icon in the lower toolbar.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

Suggested articles

Discussion

  • K on

    I wonder if these bombings occurred because they didn't secure their meeting links.
  • Hugo on

    It's sad to see how Hackers are taking advantage-of this crisis and also very interesting how a company like ZOOM wasn't ready with a Security suite to overcome the attacks, Where they just prepared for the known ones? How do you prepare for the unknown? #cybersecurity #rthreat #zerodayattack
  • Jen on

    We had a big zoom meeting yesterday for a PhD student dissertation. It was bombed with awful child porn featuring an infant. I am in counseling I can never unsee what I saw. This is much more severe than people think.
  • Ryan on

    Ok, I understand that you feel like you need to report this. But it is OLD NEWS. Yes, Zoom HAD security issues. Yes, Zoom FIXED the issues. But that was several weeks ago. Passwords are now default. Waiting room is now default. If you aren't using the default security settings, it's YOUR fault, and it's NOT NEWS. Just stop.
  • Don on

    Ok.. it has to be said... Ryan is 100% correct here, but NOT ONLY that, but this "ZOOMBOMBING" term is getting annoying. ANY conference tool is weak to this when no password is setup for the meeting. STOP sensationalizing bad terms.
  • Don on

    @Jen Whoever setup your meeting failed at their responsibility. Zoom - like ANY conference tool - has a password settable for any meeting. Think of it this way. Every meeting has a 10 digit number. If you refuse to take the most basic approach - using a password on the meeting - and someone guesses that 10 digit number, whose fault is it? While you're figuring that out, think on this: the same weakness applies to WebEx, Skype, GoTo... any other meeting platform that allows you to not set a password for meetings (and believe me, most do). Stop blaming Zoom because you refused to take basic steps to ensure the security of your meeting.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.