i³ Threat Advisory: Zoom ‘Screen share and Control’: A Third-Party Security Risk

  1. Conduct security awareness training to educate employees on expectations around performing their role and, reinforce company values.
  2. Restrict Zoom logins to corporate owned accounts.
  3. Restrict the use of the Remote Control feature in Zoom meetings.
  4. Develop an allowlist of applications where remote access controls can be implemented. Restricting the use of non-corporate applications that do not have granular security controls greatly reduces the security risk area and alleviates workload for monitoring and detection.
  5. Conduct network monitoring for IP geolocations via endpoints. Investigating anomalous access to corporate networks from unexpected geolocations could reveal activity related to both unauthorized screen sharing and screen control.

INTRODUCTION

The shift to remote work has enabled companies to hire and retain talent from all around the world, but it has also introduced security risks.

This Insider Threat Advisory (iTA) sheds light on the unassuming risks associated with video conferencing tools and their remote-control capabilities. Tools like Zoom have become ubiquitous with the digital workplace but are increasingly being exploited by insiders to subcontract work duties to unauthorized third parties.

The DTEX i3 team has observed an increase in this activity in various enterprise customer environments, even though this particular insider risk has not received much media coverage. Despite the lack of coverage, it has been a popular topic of discussion in multiple public forums [1] [2].

OPERATIONAL SCENARIOS

The developed use case is to detect when an employee subcontracts or outsources their duties to a third party and provides them access to corporate resources and data via a remote access feature .

Control via screen share is a common concern shared across industries that rely on video conferencing platforms to facilitate collaboration. These applications can also be exploited by external cyber threat actors, disguised as legitimate processes or requests. The following list provides some examples of social engineering and advanced technical scenarios that would exhibit the same technical behavior:

  • External threat actor tricking an insider into giving them access to their endpoint.
  • An insider letting an unauthorized third party take control of their endpoint to carry out work on their behalf.
  • A user sets up their work endpoint in one location with an application to then remote connect from a non-corporate endpoint to obscure their physical location.

While several forum discussions have focused on the ethical hurdles of outsourcing an entire job, this iTA profiles the security risks associated with employees giving third parties direct access to company resources via a remote access feature within an application.

Timestamps:

00:00 Introduction and video agenda
00:43 Motivation for this i3 Threat Advisory
01:44 Remote sharing and control demonstration using Zoom
02:52 Remote sharing and control demonstration using Teams
04:05 Mitigations covered in iTA-24-04.

EARLY DETECTION AND MITIGATION

The DTEX iteam recommends organizations implement these mitigating controls to reduce the risk of unauthorized data access.

Some of these mitigations focus on the Zoom platform due to its market dominance [3] and the knowledge that it will be applicable to a significant portion of DTEX customers. Though the focus is on Zoom, these mitigation steps should also be applied to any video conferencing software. It is recommended to consult supporting documentation for specific guidance on the software used within your organization.

Security Awareness Training

Security Awareness training is the best method to reinforce company values and keep users informed of possible threat vectors and techniques, including social engineering.

This should include being wary of external individuals requesting control of the user’s endpoint or being asked to install an application to perform a task.

Organizations that often utilize remote control methods for IT support should effectively communicate a standardized process as well as a clear method for confirming that the remote support worker is authorized.

Restricting Logins for the Zoom Client

Restricting the Zoom client to only allow the organizational corporate accounts to login [4] ensures that proper monitoring policies are applied by excluding personal accounts.  There are regulations surrounding privacy that will prevent organizations from detailed monitoring of personal accounts. This means it is important for organizations to ensure they not only have appropriate acceptable use policies but are providing technical guard rails for what is appropriate use on their corporate devices.

Restrict In-meeting Features for Users Joining Meetings

Technical controls around what corporate users can and cannot use in the video conferencing software can be applied to further enforce the security posture of the organization. Zoom offers granular control around additional features [5], like remote-control, to provide technical control over how features are used, which can be applied at a group level. If there are parts of the organization that require the use of remote-control, then these accounts should have additional monitoring implemented when actively using these features.

Implement Application Allowlisting

Implementing application allowlisting in your organization reduces the number of applications that require monitoring and detection profiling to only the applications that are permitted to be used within an organization.

Application allowlisting is recommended because most applications, when installed, offer functionality before security, despite having security controls.

This recommendation is significant to the cybersecurity program as a whole and will be a common recommendation across multiple iTAs. Application allowlisting will contribute to the organization’s security by significantly reducing the possible attack surface for cyber threats.

Network Monitoring for IP Geolocations

Behavioral analytics provide great insight to how users may differ from users in their respective groups. For example, users located in the same country have access to specific approved servers where approved interaction can be filtered out. However, any remaining anomalous connections or outlying connections by single users to unknown sources may reveal remote interactions or other concerning behaviors.

These types of behavioral analytics can be monitored through firewall appliances or other network monitoring devices either natively or through developed detection rules and scripts. DTEX InTERCEPT™ can be utilized to monitor this type of activity along with the contextual user actions on corporate endpoints.

INVESTIGATION

The development of this rule came out of use cases from our customers and the activity that the DTEX i3 Team was observing across our customer base. The iTA currently focuses on Zoom and Microsoft Teams as the majority of our customers use these applications as the approved corporate applications.

CONCLUSION

While there has been significant progress in security since the shift to remote work, there are still several gaps that need addressing to reduce risk from the inside out.

This iTA serves as a prime example of the insider risks that occur at the intersection of technology and psychology. By applying the mitigations within this iTA, organizations have a strong opportunity to up their defenses against IP theft, unauthorized data access and social engineering while maintaining compliance.

INVESTIGATIONS SUPPORT

For intelligence or investigations support, contact DTEX iteam. Extra attention should be taken when implementing behavioral indicators on large enterprise deployments.

RESOURCES

DTEX Release Notes

The DTEX Insider Threat Advisories are always tied to either a DTEX Intel Release or a DTEX Analytics Module. DTEX Intel Releases contain new data enrichment categories or dashboards designed to help DTEX Insider Threat Practitioners detect new or emerging trends. DTEX Analytics Modules are discrete server-side installations that can contain new analytics code, custom use-case rules or profiling, Dashboards, Visualizations, and can be seen as prototypes for potential future offerings.

[1] Quora – Is it legal to pay someone else to do my job?
[2] Reddit – Hiring someone else to do my work?
[3] Market share of videoconferencing software worldwide in 2023, by program
[4] Restricting logins for the Zoom Client
[5] Restrict in-meeting features for users joining meetings