Profile picture
, 11 tweets, 4 min read
My Authors
Read all threads
Zoom Client Leaks Windows Login Credentials to Attackers - by @LawrenceAbrams
bleepingcomputer.com/news/security/…
Security researchers @_g0dmode and @hackerfantastic revealed tonight that the Zoom client is vulnerable to UNC injection that can be used to steal Windows login credentials or attempt to launch a program.
When using Zoom's built-in chat feature, users can send URLs that are automatically converted into clickable hyperlinks. It was also discovered that UNC paths can also be sent and automatically converted to clickable links.
When these links are clicked on, Windows will perform the default actions associated with the link. For URLs, it will open the associated web page with the default browser. For UNC paths, it will attempt to connect to the remote share.
When connecting to remote shares, by default Windows will send a user's login name and information that can be used to recreate the user's NTLM password hash.
If the clicked on UNC server is operated by bad actors, they can sniff the traffic to capture users Windows login credentials as shown by below.
Once a threat actor gains access to the NTLM hash, it's as simple as running it through Hashcat to dehash the password. Now the threat actor has both the user's login name and password.
In addition to NTLM credentials theft, the UNC links can also be used to attempt to launch an executable on a person's computer when they click on a link.
To fix this, Zoom has to make it so UNC paths are not automatically converted into clickable links. Zoom has been notified of this flaw and will most likely issue a new client release soon to fix the issue.
If you do not want to wait for the fix, you can also configure the 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' group policy and set it to 'Deny All' to prevent Windows from automatically sending your login credentials.
Article updated with statement from Zoom that they are addressing the UNC issue. Added further information on how DOS device paths can be used to execute a command without showing a MoTW prompt as discovered by @taviso.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with BleepingComputer

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @BleepinComputer see all

Profile picture
BleepingComputer
@BleepinComputer
Security staffing firm, Allied Universal, was breached by Maze Ransomware who is leaking stolen files after ransom wasn't paid

* Stole 5GB of files before encrypting network.
* Demanded 300 bitcoins ($2.3 million) ransom
* No payment. Files being leaked.

bleepingcomputer.com/news/security/…
This is a summary of how the Maze Ransomware crew told BleepingComputer about their breaching of Allied Universal's network and their demands of a $2.3 million ransom. When payment wasn't made, they started leaking the company's stolen files.
Last Friday, BleepingComputer received an email from the Maze Ransomware group who stated that they breached Allied's network, stole unencrypted files, encrypted hundreds of machines, and then demanded a ransom of 300 bitcoins.

If Allied did not pay, Maze would leak their files.
Read 11 tweets
Profile picture
BleepingComputer
@BleepinComputer
STOP Ransomware Decryptor Released for 148 Variants - by @LawrenceAbrams
bleepingcomputer.com/news/security/…
@LawrenceAbrams By partnering with adware bundles that pretend to be cracks, warez, and in some cases free software downloads, the STOP Ransomware is currently the most active ransomware in the wild.
bleepingcomputer.com/news/security/…
Based on data from ID Ransomware, there have been over 100,000 STOP Ransomware victims, but the total amounts are probably much higher.
Read 6 tweets
Profile picture
BleepingComputer
@BleepinComputer
New Fake 'Eva Richter' Resume Spam Aims to Destroy Files - by @LawrenceAbrams
bleepingcomputer.com/news/security/…
A new spam campaign is underway that targets German speaking users with the Ordinypt data destroying malware,
This campaign pretends to be a job application from 'Eva Richter' and has an attached image and zip file containing her resume. From the victims we have seen, the campaign started on approximately 9/11/19.
Read 7 tweets

Related threads

Profile picture
File411
@File411
HOLY CRAP
ht to my Anon
SBI: City of Durham falls victim to Russian ransomware attack : all access into the DCI Network for;
Durham PD lost ALL telephone service
Durham Sheriff’s Office & Comms center.
911 call center is down”

: WRAL.com wral.com/sbi-city-of-du…
cc @IdeaGov @SlickRockWeb @burgessct @VickerySec
Based on (near) real-time network outages they are still down
See recent census data for projected population & impact
The notion that NC’s “The Triangle” is impacted, that’s worrisome
census.gov/quickfacts/fac…
Nasty Nasty Ryuk - please hold for next tweet
Read 8 tweets
Profile picture
Kevin Beaumont
@GossiTheDog
Travelex are working to fix.
There’s a Beeb piece here. bbc.co.uk/news/business-…
Will be interesting to see which bit of Travelex got owned. They operate an FCA regulated B2C payment platform built in AWS (but law of averages would point more towards Emotet or some such on Windows). hostingjournalist.com/video/travelex…
Read 39 tweets
Profile picture
File411
@File411
Well let’s go ahead and take the cyberbull by the horns, shall we?
I would encourage you to read this whole thread,
it’s actually a prerequisite before I tweet something that was recently sent to me and actually stopped me in my tracks
ps IT. IS. NOT. ALWAYS. RUSSIA.
You get that right?
👇🏻Twitter employees spy for KSA👇🏻
Last weekend I tried to help you understand the new-ish NATO- Cyber Report so you might want to reread this thread.
Because you’ll need to knowledge to understand the complexity of what I’m about to talk about.
ps BRB gotta put the little down
Read 13 tweets
Profile picture
Eric JN Ellason
@SlickRockWeb
In Republican Devin Nunes opening statement, he chose to peddle the insane conspiracy theory that Ukraine helped Hillary lose the election to later then have the ability to smear Trump after he won and pin it on Russia (Say What??) #ImpeachmentHearings #ImpeachmentDay
Rep. Devin Nunes also attacked @AlexandraChalup and (as Democratic stooges) witnesses Amb. Bill Taylor and State Dept's George Kent highly respected professionals who have served numerous presidents of BOTH parties with distinction. #ImpeachmentHearings #ImpeachmentDay
I will remind everyone that while Devin Nunes was the Chairman of the Intelligence Committee of the United States in 2017 we & others alerted him 2 the fact that one of his past campaign websites was breached and infected with Russian SEO spam #ImpeachmentHearings #ImpeachmentDay
Read 15 tweets
Profile picture
Friend or Foe?
@starknightz
1. #News ~ It's Official: This Is The Longest Economic Expansion On Record Since First being Tracked in 1854!

THANK YOU PRESIDENT TRUMP!

zerohedge.com/news/2019-06-3…

#Trump #Qanon @realDonaldTrump #WWG1WGA
#Trump2020 #WINNING #MAGA #KAG
2. #News ~ Democrat Kamala Harris Sponsors Bill to Outsource U.S. Jobs to Indian Graduates

ANYTHING TO DO WITH HER MOTHER BEING FROM INDIA?

breitbart.com/2020-election/…

#Trump #Qanon #MONEY
3. #News ~ Dow celebrates best June in 81 years, S&P best in 64 years foxbusiness.com/markets/dow-ce…

#Trump #Qanon @realDonaldTrump #WWG1WGA
#Trump2020 #WINNING #MAGA #KAG
Read 60 tweets
Profile picture
Friend or Foe?
@starknightz
1. #News ~ President Trump overhauls crucial U.S. appeals courts at record pace:
‘It’s a generational change’ washingtontimes.com/news/2019/may/…

#Trump #Qanon @realDonaldTrump #WWG1WGA
#Trump2020 #WINNING #MAGA #KAG
2. #News ~ President White House: Trump to nominate Patrick Shanahan as permanent defense secretary washingtontimes.com/news/2019/may/…

#Trump #Qanon @realDonaldTrump #WWG1WGA
3. #News ~ Denver approves initiative to decriminalize psilocybin mushrooms washingtontimes.com/news/2019/may/…

#Trump #Qanon @realDonaldTrump #WWG1WGA
Read 63 tweets

Trending hashtags

#PARENTS #WarOrPeace #Trump #CHILDREN #MAGA #Abetting #EnemyWithin #PrisonReform #PANIC #FakeNews #WeBuildTheWall #ABETTING #News #TheStormIsUponUS #GunRights #Hoax #Trump2020 #DeleteFacebook #Immigration #CRISIS #Thank_a_Democrat #EnemyOfThePeople #ENEMY #Patriots #Terrorist

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!