The New York State Intelligence Center Cyber Analysis Unit (NYSIC CAU) has become aware of the following information. NYSIC-CAU will continue to provide updates as necessary.
Current Situation: Due to the ongoing COVID-19 national emergency a large number of businesses, schools, and government entities are using video teleconferencing platforms to conduct meetings in order to provide continuity for business and learning. When these types of services are utilized with poor security practices, malicious actors are hijacking the meetings and performing what is now dubbed "Zoom bombing". This involves the meeting being disrupted and supplanted with derogatory pictures containing objectionable content, including pornography along with some individuals disguising themselves and using profanity and hate-speech language. These hijackings occur due to meeting information being made available to anyone through postings on websites and social media platforms. In some instances, though a meeting identification number was not made public, enterprising malicious actors tried random number combinations and gained access to a meeting.
To clarify, hijacking a meeting by "Zoom bombing" is not a result of hacking.
Background: Zoom, a highly popular video teleconferencing service, is currently experiencing a dramatic increase in its usage by both entities collaborating for official purposes as well as individuals using the service to conduct video chats with friends and families to remain in contact while practicing social distancing. Because of its prevalence, along with the numerous news media reports of hijacking occurring, the action was dubbed "Zoom bombing".
Best Practices: The following are some of the best practices for minimizing chances of a meeting hijack. Each service offers guidance for securing a session.
- Do not share meeting invitations in public forums found on social media or published on websites.
- If the service offers a waiting room feature, utilize this to vet who is allowed access to the meeting.
- Limit the number of attendees allowed in a meeting.
- Manage screen sharing through a host. This will prevent someone from randomly taking over what is shown on the screen.
- Password protect meeting access.
- Ensure users are using the current version of the software