User Credentials Hack from Collaboration Tools and Distributed in Underground Forums

Thousands of Zoom credentials were compromised and found in underground forums as cybercriminals look to get hands on the vast remote workforce.

Investigators has identified thousands of Zoom credentials shared in underground forums. Hundreds and thousands of compromised Zoom credentials were discovered. The database contained username and passwords for Zoom accounts, including corporate accounts belonging to banks, consultancy companies, educational institutes, healthcare providers and software vendors. Some of the accounts include meeting IDs, name and host keys in addition to credentials.

“One of the more noteworthy findings in the discovery is the stark increase in chatter concerning vulnerabilities and exploits pertaining to video conferencing and collaboration tools in deep and dark web forums,” said investigators with IntSights. “Realizing most of the workforce is now required to do their jobs from home, threat actors are actively looking for ways to gain access to collaboration and communication tools, like Zoom.”

In a recent post, it was also discovered that besides Zoom user credentials, other collaboration tools like Skype, Webex and other web conferencing platforms were also attempted to hack. A reporter from Threatpost, Lindsey O’Donnell took an interview of Etay Maor, Chief Security Officer of IntSight, recently and published a report on it. Maor did an investigation research on the issue and discovered that many recycled Zoom credentials were shared in dark web, starting with 2,000 credentials a few weeks ago and continued this week with multiple new databases. Maor’s discovery resembles the discovery of other researches who previously identified about 500,000 Zoom credentials were sold for less than a penny each.

Compromised Zoom credentials can give cybercriminals access to web conference calls where sensitive files, intellectual property data and financial information are shared. Even healthcare providers share patients sensitive information in web conference calls. Video data were also compromised in this effort where criminals can use face recognition technology to get access to users social media information.

“If the attacker can identify the person whose account he has taken over (and that doesn’t take too much time – just use Google and LinkedIn), then the attacker can potentially impersonate that person and set up meetings with other company employees,” Maor told Threatpost.

“Criminals can use these types of compromised information to run denial-or-service (DOS) attack where they can just join meetings and blast music or videos to interfere with the meeting”, said Maor. This practice is called “Zoom Booming” and has been in increase for the past few weeks, ever since general workforce started to work from home. FBI has stated an investigation on this issue and has already declared jail time for persons taking part in “Zoom Booming”.