ZOOM Security Plan and DoppelPaymer Ransomware Attack

New cyberattacks continue to roll in the wake of the COVID-19 pandemic, including exploits of the most popular video conferencing service and doubling-down on the DoppelPaymer ransomware strain.

Here’s a quick recap of the latest updates to these attacks and the planned responses.

In the wake of the pandemic lockdown and widespread adoption of videoconferencing to support working from home, Zoom presented a 90-day plan to address users’ security and privacy concerns in the upcoming version 5.0 of its product. The promised improvements include support for end-to-end AES 256-bit GCM encryption to protect user data against tampering and eavesdropping. Zoom will also add data routing controls that let administrators choose the data center through which their network traffic is routed, which will help companies comply with the cross-border data transfer restrictions of the EU’s privacy-oriented General Data Protection Regulation (GDPR).

Zoom will also make improvements to its user interface (UI) and user experience (UX) by adding a security icon on the meeting host’s menu bar for easy access to security controls.

With Zoom’s broad adoption by educational institutions, teachers have wrestled with disruptions like the hijacking of screen sharing and unwanted use of drawing tools by students on the teacher’s shared screen. New default settings for Education, Basic, and single-license Pro accounts will reserve the control of screen sharing and enablement of annotations to the host, and place attendees in a waiting room until the host starts the session.

These new features are designed to stop the growing practice of Zoom-bombing, in which students or outside attackers disrupt sessions by sharing or drawing offensive content, including hateful, violent or otherwise shocking images.  

The recent examples of this practice are many, including an Arizona State University online class hosted on Zoom for 150 students in which one participant started sharing a pornographic video. University of Southern California (USC) President Carol L. Folt also reported that some online lectures in Zoom had been interrupted with racist and vile statements.

Other Zoom-bombing countermeasures will include enabling meeting passwords by default to protect unsolicited access to publicly announced meetings. Account admins will also be able to require greater password complexity, including longer passwords and a mix of alphanumeric and special characters in order to thwart the use of war-dialing hacking tools that can brute-force simpler passwords. More complex password rules will also be enforceable to protect meeting recordings stored in the cloud.

We’re looking forward to seeing the more secure Zoom 5.0 release.

The cybercriminals behind the DoppelPaymer family of ransomware variants claimed that they managed to successfully steal and encrypt municipal government data of Torrance, California, a city of 150,000 near Los Angeles. They have demanded 100 bitcoins (approximately $700,000) in exchange for the key to decrypt and restore the data.

In another example of the increasingly common “double extortion” attack, the criminals have also threatened to leak sensitive data they stole prior to the ransomware attack by publishing it on their Dark Web “Doppel Leaks” site if their payment deadline is not met. To prove that they own the city’s data, they have already published several archives, including financial documents such as the city budget, accounting files, and documents belonging to the City Manager.

The City of Torrance revealed that it had been attacked at 2:30 am on March 1, 2020, but officials stated that no personal data had been leaked at that time.

However, according to the information that the attackers revealed to cybersecurity news site BleepingComputer.com, they claim that they managed to successfully erase backups stored on local servers and encrypt approximately 150 servers and 500 workstations that contained 269,123 files in 8,067 directories, totaling more than 200 GB of data.

The ransomware attack on the City of Torrance demonstrates the necessity of storing backups not only locally but also in the cloud, as well as installing anti-malware solutions capable of identifying an ongoing cyber-attack and blocking it automatically to defend sensitive data even when IT personnel are out of the office.