Table of Contents

  1. Zoom
    1. Zoom Client Leaks Windows Login Credentials to Attackers
    2. Hackers Take Advantage of Zoom's Popularity to Push Malware
    3. Zoom is Leaking Peoples' Email Addresses and Photos To Strangers
    4. Zoom meetings aren’t end-to-end encrypted, despite marketing
  2. Phishing
    1. Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others
  3. Leaks
    1. Marriott says 5.2M guests exposed in new data breach
  4. Malware
    1. Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit
    2. Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum
    3. Android application found on Google Play Store carrying Windows malware
  5. Vulnerabilities
    1. Critical WordPress Plugin Bug Lets Hackers Turn Users Into Admins

Zoom

Zoom Client Leaks Windows Login Credentials to Attackers

The Zoom Windows client is vulnerable to UNC path injection in the client's chat feature that could allow attackers to steal the Windows credentials of users who click on the link. When using the Zoom client, meeting participants can communicate with each other by sending text messages through a chat interface. When sending a chat message, any URLs that are sent are converted into hyperlinks so that other members can click on them to open a web page in their default browser. If a user clicks on a UNC path link, Windows will attempt to connect to the remote site using the SMB file-sharing protocol to open the remote file. When doing this, by default Windows will send the user's login name and their NTLM password hash, which can be cracked using free tools like Hashcat to dehash, or reveal, the user's password.

Hackers Take Advantage of Zoom's Popularity to Push Malware

Attackers are attempting to take advantage of Zoom's increasing user base since the COVID-19 outbreak started by registering hundreds of new Zoom-themed domains for malicious purposes. "During the past few weeks, we have witnessed a major increase in new domain registrations with names including 'Zoom', which is one of the most common video communication platforms used around the world," a Check Point Research report says.

Zoom is Leaking Peoples' Email Addresses and Photos To Strangers

Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom. The issue lies in Zoom's "Company Directory" setting, which automatically adds other people to a user's lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company. But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.

Zoom meetings aren’t end-to-end encrypted, despite marketing

Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings. Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using "computer audio" instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom's website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption.

Phishing

Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others

A spear-phishing attack this week hooked a customer service employee at GoDaddy.com, the world's largest domain name registrar, KrebsOnSecurity has learned. The incident gave the phisher the ability to view and modify key customer records, access that was used to change domain settings for a half-dozen GoDaddy customers, including transaction brokering site escrow.com.

Leaks

Marriott says 5.2M guests exposed in new data breach

Marriott International Inc said on Tuesday information of about 5.2 million hotel guests was breached, the second such incident for the hotel operator in less than two years. It said the breached information, including contact details, loyalty account information and additional personal details such as gender and birthdays, may have been accessed using the login credentials of two employees at a franchise property. This is the second major data breach involving the hotel chain after the company was fined £99 million for an incident involving 339 million guests.

Malware

Skimming-as-a-Service: Anatomy of a Magecart Attack Toolkit

While following reports on Magecart infections, researchers stumbled upon a very poorly maintained server connected to a very loud operation named Inter. Upon reverse engineering this server, they found themselves in conversation with the hackers themselves who revealed much more information about the Inter toolkit operation. This blog post shares some of the findings and explores how digital skimming is evolving into a service.

Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum

Recorded Future's Insikt Group analyzed advertisements and comments within underground forums to determine popular malware and malware categories within underground forums. Sources include the Recorded Future Platform, as well as open web, dark web, and underground forum research.

Android application found on Google Play Store carrying Windows malware

Recently, Quick Heal Security Labs found an Android application present on the Google Play Store which was infected by Windows malware. The application is meant for Gionee SmartWatch configuration and visualizing the data through App. On further analyzing the App, we found few HTML files which were infected with Windows malware. These infected HTML files were present in the asset folder of APK. This isn't the first time that an Android APK is infected with Windows malware, as there are similar findings from the other researchers as well. But this is first that an official app from a known company is infected.

Vulnerabilities

Critical WordPress Plugin Bug Lets Hackers Turn Users Into Admins

A critical privilege escalation vulnerability found in the WordPress SEO Plugin - Rank Math plugin can allow attackers to give administrator privileges to any registered user on one of the 200,000 sites with active installations if left unpatched.