Millions of people have moved onto the Zoom video-conferencing platform as the coronavirus pandemic has forced them to work from their homes.

According to Zoom’s own statistics, its daily usage has soared from approximately 10 million daily users in December to over 200 million today. And although Zoom must be pleased to see so many more people using its service for the first time and presumably companies buying corporate licenses for staff, the surge in popularity will inevitably attracted the attention of cybercriminals.

Remember, it’s not just regular financially-motivated online criminals and mischief-making Zoom-bombers who might be interested in breaking into Zoom meetings or compromising the user base. The platform is also being used by government officials, who are likely to be of interest to state-sponsored attackers.

As a consequence, if anyone was to find a critical unpatched vulnerability in Zoom, then that would potentially be worth a lot of money on the shady zero-day exploit market.

According to Motherboard, there are reportedly two zero-day vulnerabilities present in the latest versions of Zoom for Windows and macOS, and exploits for the unpatched flaws are being actively hawked.

The Motherboard article quotes one unnamed source as saying that the Windows zero-day – which is being offered for a cool $500,000 z- could be used for spying:

“[The Windows zero-day] is nice, a clean RCE [Remote Code Execution],” said one of the sources, who is a veteran of the cybersecurity industry. “Perfect for industrial espionage.”

The reference to remote code execution is particularly worrying, as this allows a hacker to run malicious code on a target’s computer without authorization. A malicious actor could use that code to spy on communications, steal data, or open a backdoor for further exploitation.

According to the report, hackers wanting to get the most bang (Read more...)