Pierluigi Paganini April 12, 2020

Security researchers discovered an archive available on a dark web forum that includes thousands of compromised Zoom credentials.

Researchers discovered a database available on an underground forum in the dark web that contained more than 2,300 compromised Zoom credentials.

Some of the records also included meeting IDs, names and host keys.

The archive included credentials for Zoom accounts belonging to organizations in various industries, including banking, consultancy, healthcare software companies.

“In a recent investigation of deep and dark web forums, IntSights researchers came across a cybercriminal who shared a database containing more than 2300 usernames and passwords to Zoom accounts.” reads the report published by security firm IntSights. “An analysis of the database revealed that aside from personal accounts, there were many corporate accounts belonging to banks, consultancy companies, educational facilities, healthcare providers, and software vendors, amongst others. While some of the accounts “only” included an email and password, others included meeting IDs, names and host keys.”

Experts noticed that several posts and threads discussed how to targeting Zoom’s conferencing services. Most debated uses are Zoom checkers and credential stuffing. Checking services are used in credit card fraud ­to check whether a stolen credit card is “fresh” by making a micro-donation.

Credential stuffing attacks are a form of brute force attack that leverages stolen login credentials usually obtained through phishing attacks and data breaches. The availability of Zoom accounts could allow attackers to harvest additional data regarding the account, one of the participants in a discussion suggested using a Zoom-specific configuration of OpenBullet.

OpenBullet is a web testing suite that can be used to scrape and parse data, to conduct automated pen testing and more.

At the time it is still unclear the source of the Zoom credentials, but experts believe it was not stolen from the company Zoom.

Compromised credentials could be also used to launch denial-of-service attacks, they could join meetings and interfere with the meeting by blasting music or videos, a practice that is also known as “Zoom bombing.”

A few days ago, security firm Sixgill reported the availability of a collection of 352 compromised Zoom accounts on dark web forum. 

Video conferencing platforms are under attack due to the spike in the use after the Coronavirus outbreak.

The Cofense’s phishing defense center has uncovered an ongoing phishing campaign that uses a Cisco security advisory related to a critical vulnerability as a lure. The phishing messages urge victims to install the “update,” but it is a malware designed credentials for Cisco’s Webex web conferencing platform.

Threat actors use this bait because attempt to take advantage of Coronavirus pandemic that forced most of the companies to adopt the smart-working.

“With much of the global workforce confined to work from home using collaboration and conferencing tools to keep businesses running, threat actors are increasingly looking for ways to take advantage of the situation and target people, processes and technologies.” concludes the report. “Implementing a cyber threat intelligence strategy which is based on the collection, analysis and dissemination of reliable, timely and actionable intelligence is a core component for any cyber security program that aims to be proactive rather than reactive and defend forward.”

Pierluigi Paganini

(SecurityAffairs – Zoom, Dark web)

[adrotate banner=”5″]

[adrotate banner=”13″]