While the SolarWinds breach has shone a light on the dangers of supply chain attacks over the past three months, threat researchers at SME specialist security firm Huntress say the risks associated with the virtual events and conference platforms used by many organisations are going unremarked upon.
This time last year, one of the first signs that the newly discovered Covid-19 coronavirus was going to become something more than just a public health story centring on a Wuhan wet market was the cancellation of large-scale events.
The tech industry felt this pinch early on, with the GSMA’s Mobile World Congress one of the first victims. Meanwhile, cyber firm RSA went ahead with its San Francisco conference, which, given what we now know about Covid-19, not surprisingly turned into one of the first superspreading events, with multiple attendees falling ill and spreading the virus across the US.
With stay-home orders and travel bans stymying the events industry throughout 2020 and into 2021, organisations were quick to turn to virtual conferences as a stopgap. However, according to Huntress senior security researcher John Hammond, virtual events can easily turn into superspreading events for cyber criminals.
“We live in a new world that relies on remote events and virtual conferences,” he said in a blog post detailing his work. “You know the ones I’m talking about – you register with your business email and your job title in order to talk shop with like-minded folks.
“Imagine that: one online location where everyone in the industry has willingly offered their contact information, all to network and grow their community. That sure sounds like a treasure trove for hackers.”
As was famously seen with the difficulties faced by Zoom in the spring of 2020, the rush to scale-up virtual platforms for mass use at the beginning of the pandemic meant that past security failings – or lack of attention paid to security at the design stage – were made painfully apparent.
Hammond and his team uncovered multiple undisclosed zero-days in virtual event platforms used in multiple organisations, including Fortune 500 companies, in some cases when attending events hosted on the affected platforms themselves.
“We were there to network and chat with others – just like everyone else – but after some poking and prodding, we stumbled upon some unintended behaviour within the event platforms,” he said.
The impact of the disclosed vulnerabilities, in webcasts.com, affecting integrated customer 6Connex, and VFairs, ranged from information disclosure and potential personal data leakage, through to affording direct access to databases and even remote code execution (RCE).
“As attendees for a webcasts.com event on 6Connex, we were able to join any chat room to connect with other attendees,” wrote Hammond. “But we found that we were able to see more about the attendees through their attendee IDs, and ultimately uncovered a huge data dump of all the users who were partaking in the virtual conference.
“This included a lot of personal data. We’re talking names, company and title, emails, IP addresses, and potentially city, state, phone number and physical address – and not just to us as presenters, but anyone at the event.”
“At another event we attended on VFairs, we saw that we could edit our profiles for a better networking experience. But here was the issue: we had the ability to change not only our own profile, but if you peeled back the layers and toggled the ID numbers, we could change anyone else’s profile too.
“This could allow a nefarious actor to perform cross-site scripting attacks, steal user cookies, impersonate them or force their web browser to different locations. And the ability to change a profile picture wasn’t limited to a JPEG or image file – you could upload PHP code, opening the door for remote code execution.
“Additionally, SQL database errors were public and the platform was vulnerable to a time-based blind SQL injection, giving a bad actor direct access to the database. These exploits could allow full access to potentially control the server and website.”
Both 6Connex and VFairs were informed of the vulnerabilities between September and October 2020, and both services are now patched. Hammond said it was impossible to tell whether any of these vulnerabilities were acted upon by malicious actors, but prior to disclosure and patching, it was certainly possible, and he urged users to be cautious that similar vulnerabilities could exist in other platforms.
Hammond suggested that the problems with event platforms could have contributed to a spike in phishing attacks focusing on Huntress’ managed service provider (MSP) customers over the past couple of years.
“We aren’t telling you to sign up for events with a throwaway burner email address, fake name and sock puppet accounts – there is genuine value in being a part of the community and collaborating with your peers,” he said. “But we are telling you that no platform is immune.”
Hammond noted that the best defence against attacks incorporating a third-party tech partner or supply chain is for IT and security teams at the user organisation to get to know the product, pipeline and process inside out, so that they can better decide whether or not to use it to begin with.