A Zoom zero-day exploit is up for sale for $500,000

Millions of people have moved onto the Zoom video-conferencing platform as the coronavirus pandemic has forced them to work from their homes. According to Zoom's own statistics, its daily usage has soared from approximately 10 million daily users in December to over 200 million today. And although Zoom must be pleased to see so many more people using its service for the first time and presumably companies buying corporate licenses for staff, the surge in popularity will inevitably attracted the attention of cybercriminals. Remember, it's not just regular financially-motivated online criminals and mischief-making Zoom-bombers who might be interested in breaking into Zoom meetings or compromising the user base. The platform is also being used by government officials, who are likely to be of interest to state-sponsored attackers. As a consequence, if anyone was to find a critical unpatched vulnerability in Zoom, then that would potentially be worth a lot of money on the shady zero-day exploit market. According to Motherboard, there are reportedly two zero-day vulnerabilities present in the latest versions of Zoom for Windows and macOS, and exploits for the unpatched flaws are being actively hawked. The Motherboard article quotes one unnamed source as saying that the Windows zero-day – which is being offered for a cool $500,000 z- could be used for spying:

“[The Windows zero-day] is nice, a clean RCE [Remote Code Execution],” said one of the sources, who is a veteran of the cybersecurity industry. “Perfect for industrial espionage.”

The reference to remote code execution is particularly worrying, as this allows a hacker to run malicious code on a target's computer without authorization. A malicious actor could use that code to spy on communications, steal data, or open a backdoor for further exploitation. According to the report, hackers wanting to get the most bang for their buck would need to use the Zoom for Windows zero-day exploit in co-ordination with other exploit code to gain full access to a PC. The source claims that the exploit requires the hacker to be on a Zoom call with their intended target, which certainly makes an attack less surreptitious. The macOS zero-day exploit, meanwhile, is said to not to lead to remote code execution, making it harder for potential hackers to leverage. Nonetheless, no-one likes to hear that there are critical unpatched vulnerabilities in their software. In recent weeks, Zoom has taken impressive security-minded steps, including acknowledging the mistakes it has made in the past and explaining what it is doing going forward to improve the service's security and privacy. Half a million bucks is a not an inconsiderable amount of money, and it's unlikely to make financial sense for the typical financially-motivated cybercriminal who will realize that they may only be able to exploit the flaw on a small number of occasions before it is patched. But an attack which is orchestrated by an authoritarian government or intelligence agency may have no qualms about paying such an amount if they felt it would help them spy upon their enemies. As a result, I think those with the most to lose (such as government officials and the military) who may find themselves regularly targets of interest to state-sponsored attackers might be wise to evaluate which video conferencing platforms they feel can offer them the highest level of security. For most of the rest of us, Zoom remains a good choice if you're trying to keep in touch with colleagues and family. Just make sure to keep it updated with the latest patches, check your security settings, be wary of unsolicited email invitations to Zoom meetings, and follow guidance about how to host meetings more safely to avoid unwanted intruders.