Video conferencing services, including Zoom, have become increasingly popular since many more employees are working remotely. Security researcher @_g0dmode is credited for discovering a potential attack vector against Zoom users that was later verified by UK security researcher Matthew Hickey. Attackers must be participating in a Zoom call and must convince other participants to clink a link sent through a chat message in order to make use of the attack method, which limits the potential impact of this technique. This issue lies in the fact that the Zoom client converts Windows networking Universal Naming Convention (UNC) paths into clickable links. If the links are clicked, Windows will try to connect to the remote site using the Server Message Block (SMB) network file-sharing protocol, and by default, Windows will send the user’s login name and NT Lan Manager (NTLM) password hash. If the attacker controls the remote server, they can capture the password hash when it is sent. Although the password is hashed, it can still be cracked, especially if the password uses common dictionary words. Bleeping Computer has reached out to Zoom, but no response has been given yet.
Employees should be cautioned about the potential danger of clicking UNC paths rendered as hyperlinks received from any untrusted source, whether the message is received via Zoom, email or any other method. It is also important for Zoom users to be wary of invitations to video conferencing from unexpected senders, and to avoid publishing links to Zoom meetings on public channels, allowing unintended participants to join. Organizations should consider restricting corporate computers from sending credentials to external servers through Group Policy. To implement the Group Policy Object (GPO), go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers and set to “Deny all”. It is advisable to test this policy carefully before implementing it across a company, because it may restrict access to external servers that are used by employees.