(U//FOUO) APT actors likely will identify new or use existing vulnerabilities in Zoom to compromise user devices and accounts for further exploitation of corporate networks. This judgment includes critical infrastructure entities using Zoom. We base this judgment on recent public exposure of Zoom’s numerous vulnerabilities. While vendors regularly publish patches for vulnerabilities, reports indicate there are instances in which users and organizations delay updates. The patching process is undermined by APT actors who often capitalize on delays and develop exploits based on the vulnerability and available patches. We also base this judgment on reported Chinese access to Zoom servers. China’s access to Zoom servers makes Beijing uniquely positioned to target US public and private sector users of the platform; however, we assume China’s unique position does not prevent other nation-states from using Zoom vulnerabilities to achieve their objectives.
» (U) Several Zoom vulnerabilities have been publicized, including a vulnerability in the Zoom desktop conferencing application that allows an attacker to hijack various components of Zoom sessions, for which ZoomUSPER has provided a patch; vulnerabilities in Zoom Client for Meetings that enable root access, as well as unprompted camera and microphone access; Zoom installing a hidden web server designed to circumvent pop-ups that removes password prompts; and using default settings to generate codes to join a meeting, easily leading to “zoombombing,” according to an internationally distributed US news source, a Canada-based research laboratory, a technology blog, and two vulnerabilities published on the National Institute for Standards and Technology (NIST) website.
(U) As of 15 April 2020 two zero-day exploits for Zoom that allow actors arbitrary code execution affecting Zoom on Windows and Apple operating systems were being sold for $500,000, according to a global research and advisory firm and an information security and technology news publication. We are unable to confirm whether these zero-day exploits are related to already discovered and patched vulnerabilities. However, even if there are patches available for these vulnerabilities, organizations are slow or unwilling to install patches, as there are risks that a patch may disrupt other dependent systems, and installing patches may incur downtime for business operations, according to a cybersecurity company.
(U) APT cyber actors often use newly released software patches to develop exploits and access networks that have not yet upgraded with vendor released patches, according to an NSA cybersecurity advisory. For example, APT actors as of October 2019 were exploiting common vulnerabilities in popular US virtual private network products to gain access to unprotected networks, according to the same source.
(U) Zoom claims the application has end-to-end encrypted meetings; however, the company in its April 2020 blog clarified that Zoom does not currently implement end-to-end encryption as the cybersecurity industry understands the term, according to a Canada-based research laboratory and Zoom’s company blog.
(U) Though Zoom is headquartered in the United States, the main Zoom application appears to be developed by three companies in China, which employ at least 700 workers, according to a Canada-based research laboratory providing strategic policy and legal engagement on information technologies, human rights and global security. Additionally, tests conducted by the same research laboratory observed keys for encrypting and decrypting meetings were transmitted to servers in Beijing. This raises concerns due to China’s 2016 Cybersecurity Law, which compels foreign firms to hand over important intellectual property assets, such as source code, to Chinese authorities, and China’s 2017 National Intelligence Law (Article 7), which mandates all organizations and citizens to support, assist, and cooperate with Chinese national intelligence efforts, according to an international online news source covering the Asia-Pacific region and a prominent American news source.
(U//FOUO) Malicious cyber actors likely view Zoom users as targets of opportunity to exploit a broad range of public and private sector entities including critical infrastructure. We base this judgment on the extensive publicity surrounding Zoom’s confidentiality issues and sudden popularity with users in a broad range of sectors adapting to the pandemic stay-at-home orders. This judgment is underpinned by the assumption that the unidentified cyber actors gained unsolicited access to ongoing Zoom conference sessions with ease, and that malicious actors can duplicate those efforts and use their accesses to facilitate additional malicious activities.
(U) Intelligence Gap – APT Network Exploitation
(U//FOUO) We lack indicators showing sophisticated cyber actors accessing Zoom and compromising user devices to gain access to victim networks. APT actors could access a victim’s network via Zoom is by exploiting vulnerabilities that allow them to access a user’s account with stolen credentials or hijack a conference session. The actor also could leverage Zoom’s integrated file transfer feature to deliver malware, such as a backdoor or other malicious executables. This root privilege escalation from Zoom to user device would enable the APT actor to further exploit the victim’s corporate network.