We Got Zoom Bombed

Do we ever grow up?

Image presented by Zoom bomber.

We recently hosted an invite-only meeting with some of our business partners and clients. We followed most of the basic security measures and best practices for Zoom calls. Yet we got Zoom Bombed! How?

The technical details are not the core story here, though we will share those, as well as how the person gained access. What’s more important? We are people. We are working towards a mission. That mission takes priority.

So what happened?

We hosted a Zoom meeting and invited several of our clients. We set the meeting well in advance. We selected a set of configuration values based on those available at the time we set up the meeting. The meeting required a password and was not public, per best practices to prevent Zoom Bombing. Sharing of the URL took place through email to explicit end users.

These settings proved deficient to preventing the Zoom Bombing from taking place.

As the meeting started, an uninvited party joined the meeting. This person masqueraded as invited people in the meeting. This person changed names to other invited parties multiple times during the call.

The person used the opportunity to engage in childish antics. They chose to repeat the phrase “It is what it is; it is what it is” several times. Then they chose to tell everyone to “F*ck off” shortly after drawing a crude image on the screen. I’m guessing this is the obligatory drawing for Zoom Bombing? Finally they presented an image of a man’s face available on the Internet since at least 2010.

How did we respond?

Our initial reaction was to change some of the settings during the call to restrict participant access and control. We started the meeting with some participant control features disabled, because this meeting was password protected and only included our business clients. We relied on the password as our control for admittance. This alone did not stop the unwelcome visitor.

Next, we closed the original call and started a new call. This time, we locked participation down to registered Zoom users only. This did delay some legitimate participants in their attempts to rejoin. We also started this call with tighter restrictions for participant control.

We did lose a few participants between the first to the second call. Once the meeting began, we had a successful call without incident.

We also reached out to participants of the call to apologize for getting it wrong. In short, we did get it wrong. We could have enabled controls to further protect from this intrusion into our call.

This call was a meeting format call, using Zoom’s normal scheduled meeting functionality. For our next run, we will use Zoom’s Webinar package. We hope it will provide what we need to prevent unauthorized access, as it affords more options for the meeting host to control the meeting.

How did this happen?

We have looked into the how and why behind this activity. We have since learned about the existence of a tweet containing the meeting information. We do not yet know who posted the tweet, but we do believe the uninvited party joined via this link.

This tweet has since been deleted. The tweet was posted 59 minutes before the meeting started. On the same account, there was a least one other meeting posted, details of a Google Meet call with another Threat Intelligence vendor. Twitter has since suspended the account involved.

Zoom Meeting Details for business accounts allow you to view the device information and IP Address details for those who join meetings. The IP address of the one user we believe to be the Zoom Bomber appears to show evidence of a persistent VPN connection during the time of the call. We are still investigating this activity.

Why share this story?

We share this story because it’s a story that needs to get out.

Many think that security is locking the front door. Here, we did that, by using a password.

Others may question our decision to use Zoom. We see pros and cons to all cloud- and Internet-based communications platforms. We do review these platforms for security policy. In fact, as I write this, a new update on our internal teleconferencing solution policy was published.

But none of these options and opinions are security. Security at its core is about enabling business objectives.

This intrusion into our call becomes an opportunity. We adapt from this and we celebrate the success. This first call will prove to be easy for participants to remember!

This was our pilot call for a user group we started. We are sharing analytic processes, TTPs, and IoCs with our business partners. This is the real story here. We are creating new and more complete ways of enabling defenders to meet their mission.

Defenders can not stop or slow down sharing because of minor inconveniences. We are in this fight together. We owe it to each other to share as much, as early, and as often as we can. Attackers will not wait for defenders to be ready.

Our mission is to save and improve lives. We will not get distracted from that. It is too important.