Security insights from ThreatLocker
Earlier this week, a new vulnerability in Zoom was discovered. If you aren’t familiar with this tool, it is currently one of the leading video conferencing software applications on the market.
Over the last month, the use of this platform has spiked amid the Covid-19 pandemic as businesses, schools, and governments transition to remote work environments. As users of Zoom continue to skyrocket, the application is becoming a hot target for cybercriminals putting millions at risk.
In these attacks, criminals are sending UNC links in a message. When a user receives the message and clicks the link, the windows credentials are then passed onto the attacker. Cybercriminals can essentially send users an executable script file to run in the same manner, infecting the user with malware.
We have had several users ask how these attacks can be stopped with storage policies and Ringfencing in place. There are a few steps we recommend you take in order to effectively protect yourself against a malware attack.
Step 1: Use Ringfencing
Ringfencing allows you to define rulesets governing how an application can interact with other applications and what resources an application can access. This is a technique that is unique to ThreatLocker and it’s extremely effective at stopping attackers from living off the land.
In this case, we have a created a suggestive Ringfencing policy specifically for Zoom. This stops Zoom from accessing your files and launching other applications that could potentially be used against you.
Whether you are using a whitelisting solution or not, it cannot interact with other applications. Attackers will not be able to use PowerShell, RegSvr, RunDLL or any weaponizable application on your system - even if it isn’t on your whitelist, even if it’s trusted, and yes, even if it’s malware.
By blocking access to your file system, Zoom will not be able to call on the system if it has a vulnerability or an exploit. If someone sends you a link to malware or a UNC to ransomware sitting on a server, it’s not going to be able to open that either.
We highly recommend you combine ringfencing with whitelisting. When using these combined techniques, untrusted applications are not going to be permitted, regardless of or how the payload is delivered to you. The executable, the DLL, and the script file will not run if it’s on your whitelist. However, Whitelisting will not stop an attacker from weaponizing tools like PowerShell against you. That is where Ringfencing comes into play and this is why it is been proven to be extremely effective at blocking these attacks.
Step 2 : Application Whitelisting
By not restricting what can run, you leave yourself exposed to vulnerabilities or the misuse of legitimate software like Zoom. Antivirus software only attempts to block the bad stuff and oftentimes, it fails. If you start with a default-deny approach, any application will be blocked regardless of whether it is known or unknown malware. Application Whitelisting is highly effective at stopping malware from executing on your endpoints.
Not only can Application Whitelisting be used to block access to unknown applications, but it can also block access to tools such as Powershell and registry editors where they are not needed, and as mentioned earlier, when combined with Ringfencing, you stop these built-in applications from being used against you.
It is important to be sure that you have this solution enabled, your computers are not in monitor only mode, and you are blocking any software that is not trusted.
Step 3: Storage Control
In general, you should never allow your users to access storage devices that are not trusted. Combined with Application Whitelisting and Ringfencing, we recommend you protect your files with policy-driven storage control. You should be configuring file shares, USB devices, and other policies to restrict access to files, not only at a user level but also at an application level.
With a denial policy in place, if it’s not your file server or trusted device, Zoom, Windows, or any user will not be able to access your system. By setting these types of boundaries around Zoom, the application can’t access your files, other applications, or the internet.
MSPs and IT professionals are constantly looking for threats and trying to solve problems associated with vulnerabilities like this. However, looking for threats isn’t the best way to protect yourself. It’s far more effective if you take the time to review which applications are needed by your users and block everything else that isn’t necessary. You can even take it a step further by limiting permitted applications in what they can do. With these solutions in place, you effectively harden and reduce your surface areas of attack.
As mentioned previously, we’ve created a built-in policy for zoom, and I hope you all can benefit from this. If you have any questions, please do not hesitate to reach out to one of our cyber heroes. We’d be happy to assist you.