A U.S. House Oversight Committee meeting was the most recent victim of a Zoom bombing attack, after the meeting was disrupted at least three different times by uninvited attendees.
The incident was disclosed in a recent internal letter from Jim Jordan (R-Ohio) to Carolyn Maloney (R-NY), chairwoman for the Committee on Oversight and Reform, which is the main investigative committee in the U.S. House of Representatives.
“In spite of the warnings by the FBI and media outlets, on April 3, 2020, you held a Zoom-hosted Member briefing on women’s rights in Afghanistan with the Special Inspector General for Afghanistan Reconstruction (SIGAR),” the letter said to Maloney. “During this important briefing, the session was ‘Zoom-bombed’ at least three times. The impact of hacking and malware on Member and staff devices is still being determined.”
The letter does not specify what the Zoom bombers did after they interrupted the meeting, or whether any sensitive data was accessed.
Jordan cited this recent incident, as well as China’s involvement with Zoom, as major security issues, and called for government officials to “immediately suspend any current or future use of Zoom systems for official committee activities and take immediate steps to evaluate the Committee’s internal cybersecurity preparedness to prevent hackers from accessing sensitive committee information through the Zoom platform.”
With the coronavirus pandemic driving more organizations to “flatten the curve” by going remote – and thus using Zoom and other web conferencing platforms – Trolls are taking advantage of this by hijacking online meetings. Previous reports of Zoom bombing incidents have pointed to the trolls spreading hate speech such as racist messages, threats of sexual harassment, and pornographic images, which have reportedly driven meeting participants offline or forced meetings to be abruptly cancelled.
But for a government meeting, during which sensitive data may be shared, the stakes are higher than mere trolling. The issue of governments utilizing Zoom – and their knowledge around how to secure Zoom meetings – was hit with a media spotlight after UK prime minister Boris Johnson tweeted a picture of his Zoom meeting in which the meeting ID was visible.
Government officials are taking note of the threat. The Senate Sergeant of Arms this week warned that Zoom posed the threat of “potential compromise of systems and loss of data, interruptions during a conference and lack of privacy,” according to the letter. Furthermore, the Senate Sergeant of Arms noted that no Zoom product was vetted or cleared for use by Senate offices.
Zoom bombing has been spiking upwards over the past few weeks, despite the FBI cracking down on the issue and warning that those who take part in Zoom bombing could face jail time. A recent report by ZDNet recently pointed to attackers gathering in online communities (such as Discord, Reddit and more) to share Zoom conference codes or make Zoom bombing requests against certain online classes, for instance. Many of these attackers are teenagers, according to a recent PCMag report, with some even live streaming their attacks on Twitch.
Zoom’s platform overall has also under fire for security and privacy shortfallings over the past month. Most recently, the Ministry of Home Affairs for India issued an advisory for those who want to use Zoom, saying it’s “not a safe platform.”
In the midst of this fallout, Zoom is taking steps to improve its security, including recruiting an industry heavy-hitter – former Facebook CISO Alex Stamos – to provide special counsel. Zoom has also sought to improve its bug bounty program, bringing on bug bounty expert and Luta Security founder Katie Moussouris to assess its bug bounty program. As part of these improvements, Zoom is introducing a new feature that lets users report Zoom bombers. This feature will be introduced next week, as a “Report a User” security icon in the lower toolbar.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.