Cybercriminals are reportedly selling two undocumented critical Zoom exploits that allow an attacker to infect systems and eavesdrop on users’ communications.
As if the previously discovered Zoom security flaws weren’t enough to make people think twice before opting for this virtual conferencing service, analysts have recently bumped into a shady offer circulating in the cybercriminal underground. Hackers have put two critical Zoom zero-day exploits for sale, so any interested party with a sizable budget on their hands can buy and weaponize them. According to researchers’ findings based on conversations with several sources keeping tabs on this shady market, one of the exploits is designed for Windows and the other for macOS clients of the controversial tool in question. The code of these offensive instruments hasn’t surfaced at the time of publication and the unscrupulous brokers are busy contacting potential buyers with the offer.
For the record, zero-day exploits (also referred to as zero-days or 0days) are flaws in software or hardware neither the vendor nor the security community is aware of. These loopholes can be leveraged by an adversary to compromise targets by gaining unauthorized access or installing malware. Depending on the type of software that can be mishandled, such vulnerabilities can cost a fortune, with the price reaching millions of dollars in some cases.
The popularity of Zoom has been steadily soaring since the coronavirus outbreak. The reason is obvious – numerous organizations have switched to teleworking and heavily rely on tools that allow their teams to communicate remotely. The spike in the use of Zoom software has unveiled serious issues with its security implementations. In early April, we reported on two imperfections that could fuel local privilege escalation on Mac computers and provide a malefactor with access to the microphone and camera. It turned out that these bugs were just the tip of the iceberg.
One of the zero-days perpetrators have recently put up for sale is designed to perform remote code execution (RCE) on Windows PCs. If leveraged by a competent attacker, it can bolster surreptitious malware installation on an affected machine. To top it off, the impact isn’t restricted to the vulnerable app – it can be used to gain a foothold in the entire system. According to analysts, this exploit is being offered for a whopping $500,000. Although that’s a lot of money, malicious actors involved in industrial espionage may be able to squeeze a maximum out of such foul play. The only thing on the minus side of this attack vector is that it cannot be executed unless the adversary is in a Zoom call with the would-be victim.
As per researchers’ insights, Zoom zero-day exploit for Mac isn’t as dangerous as its Windows counterpart because it cannot pave a hacker’s way towards RCE. Its price isn’t known at this point. The most likely use case is about eavesdropping on targets’ virtual conferences to try and steal corporate secrets. This could be a serious issue down the road, too.
In response to these disconcerting reports, the provider of Zoom software has stated that they are investigating the rumors 24/7 and haven’t yet discovered any evidence confirming these claims. However, the problem with zero-days is that they typically remain unknown until threat actors employ them in real-world attacks. If these two flaws actually exist, hopefully they will be patched before another cybercriminal group adds them to their repertoire.