As more people start working from home, they are taking advantage of online conference services like Zoom. Over 500,000 unique Zoom account credentials were discovered on dark web hacker forums. Exposed data includes victims’ email addresses, passwords, personal meeting URLs, and HostKeys, and were likely gathered through credential stuffing attacks.
NJCCIC “The New Jersey Cybersecurity and Communications Integration Cell “ recommends the following when using zoom.
- Require a password for all meetings and securely share that password only with your invited guests. Once set, guests must enter the passcode in order to enter the meeting. This will prevent unauthorized individuals from joining a meeting.
- Use waiting rooms. This allows the meeting host to verify those attempting to gain access to the meeting.
- Do not share your meeting IDs. These are unique to individual users and could be used to determine when a meeting is currently in progress.
- Send links to meetings directly to individuals and do not publicly post meeting links. This could allow unauthorized individuals access to your meeting, particularly when other security settings are not in place.
- Disable participant screen sharing or file sharing. This will prevent your meeting from being hijacked by others and allowing the sharing of inappropriate content.
- Lock meetings once everyone has joined. This will prevent unauthorized users from gaining entry while the call is in session.
- Avoid posting photos of your Zoom meetings. This could provide threat actors with the associated meeting ID and information on who is attending your meetings.
- Disable the “Allow Removed Participants to Rejoin” option. If an unauthorized participant is identified and removed, this will prevent them from regaining access to the meeting using the same account.
- Do not use your Facebook or Google account to sign into Zoom. This will help protect your privacy by limiting the amount of information Zoom, Facebook, and Google can collect about you.
- Beware of Zoom-themed phishing emails. These may purport to be from Zoom and direct the recipient to open a malicious link or attachment in order to deliver malware or steal user credentials.
- Keep Zoom updated. Enhanced security and privacy features may be applied. A recent update enabled meeting passwords by default, for example.
It’s not only Zoom. People are also using RDP (Remote Desktop Protocol) to access their work PCs. The Multi-State Information Sharing and Analysis Center (MS-ISAC) is observing increased exploitation attempts against Remote Desktop Protocol (RDP) vulnerability.
Known Affected Systems
- Windows 2000
- Windows Vista
- Windows XP
- Windows 7
- Windows Server 2003
- Windows Server 2003 R2
- Windows Server 2008
- Windows Server 2008 R2
The MS-ISAC recommends organizations adhere to the following recommendations to limit the potential compromise and impact of CTAs attempting to exploit RDP.
- Ensure the vulnerability is patched and systems are updated, including at home personal systems. Microsoft has released security patches for all affected systems, including those that reached end of support (Control 3.5).
- Enable Network Level Authentication for Windows 7 and Windows Server 2008/2008 R2 (Control 5.1).
- Best practices dictate that RDP should never be public facing and if required, users should VPN into the network before accessing RDP services (Control 5.1).
- Ensure that RDP is not publicly accessible and limit connections to trusted hosts (Control 5.1).
- Restrict RDP logins to authorized non-administrator accounts, where possible. Adhere to the Principle of Least Privilege, ensuring that users have the minimum level of access required to accomplish their duties (Control 4.3).
- Log and review RDP login attempts for anomalous activity and retain these logs for a minimum of 90 days. Ensure that only authorized users are accessing this service (Control 16.13).
- Verify cloud environments adhere to best practices, as defined by the cloud service provider. After the cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose (Control 13.4).
- Perform regular scans to ensure RDP port 3389 remains closed to the Internet (Control 3.1).
- Review Intel Insights: How to Disable Remote Desktop Protocol.