{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/zoom-meetings/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zoom Meetings"],"_cs_severities":["medium"],"_cs_tags":["zoom","initial-access","configuration-audit","zoombombing"],"_cs_type":"advisory","_cs_vendors":["Zoom"],"content_html":"\u003cp\u003eThis brief focuses on the risk associated with Zoom meetings created without a passcode. When meetings lack this basic security measure, they become vulnerable to \u0026quot;Zoombombing,\u0026quot; where unauthorized individuals disrupt the session with offensive or inappropriate content. The Elastic detection rule, published on 2026-04-10, identifies such meetings by monitoring Zoom event logs. This is particularly relevant for organizations using Zoom for internal and external communication, as the lack of a passcode can lead to reputational damage, exposure of sensitive information, and overall disruption of business operations. Ensuring that all meetings are password-protected is a simple yet effective way to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA Zoom meeting is created by a user without enabling the passcode feature.\u003c/li\u003e\n\u003cli\u003eThe meeting details (including the meeting ID) are potentially shared publicly or become discoverable through automated tools.\u003c/li\u003e\n\u003cli\u003eAttackers or malicious actors identify the unprotected Zoom meeting.\u003c/li\u003e\n\u003cli\u003eAttackers join the meeting without any authentication or authorization.\u003c/li\u003e\n\u003cli\u003eOnce inside the meeting, attackers disrupt the session by sharing inappropriate content (e.g., images, videos, audio).\u003c/li\u003e\n\u003cli\u003eParticipants within the meeting are exposed to the offensive content, leading to disruption and potential reputational damage.\u003c/li\u003e\n\u003cli\u003eThe meeting organizer is forced to terminate the session to stop the disruption.\u003c/li\u003e\n\u003cli\u003eThe organization experiences a loss of productivity and may face public criticism due to the incident.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eFailure to secure Zoom meetings with passcodes can lead to significant disruptions, with potential exposure of sensitive information and reputational damage. While the exact number of victims is difficult to quantify, Zoombombing incidents have affected organizations across various sectors. Successful attacks can result in the shutdown of meetings, loss of productivity, and the need for damage control. The impact extends beyond immediate disruption to potential long-term damage to an organization's reputation and client trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect Zoom meetings created without a password.\u003c/li\u003e\n\u003cli\u003eEnable Zoom Filebeat module to properly ingest the Zoom logs required for detection.\u003c/li\u003e\n\u003cli\u003eReview Zoom configuration settings to enforce mandatory passcodes for all future meetings.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and alerting for Zoom meeting creation events to quickly detect and respond to any future instances of meetings being set up without passcodes.\u003c/li\u003e\n\u003cli\u003eEducate users on the importance of using passcodes for all Zoom meetings to prevent unauthorized access and potential disruptions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-zoom-meeting-no-passcode/","summary":"Detection of Zoom meetings created without a passcode, which are susceptible to Zoombombing and potential disruption or exposure of sensitive information.","title":"Zoom Meetings Created Without Passcodes","url":"https://feed.craftedsignal.io/briefs/2024-01-29-zoom-meeting-no-passcode/"}],"language":"en","title":"CraftedSignal Threat Feed - Zoom Meetings","version":"https://jsonfeed.org/version/1.1"}