How remote browser isolation can shut down virtual meeting hijackers

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!

Virtual meetings continue to attract cyberattackers who use them to distribute ransomware, including GIF-based account takeover attacks. Earlier this week, Zoom agreed to pay $85 million to its users who have been victims of zoom bombing. Zoom also committed to increasing its efforts to stop cyberattackers from delivering malware and account takeover attempts via chat on its platform. The company has also promised to implement additional security and privacy policies as part of a legal settlement that was reached earlier this week. The Web continues to be a vulnerable space for cyberattackers and virtual meetings’ evolving security, which became a need accelerated by the pandemic, has been an easy target.   

Before the pandemic’s onset, many CISOs were wary of the first generations of virtual meeting platforms. The potential for cyberattackers to hide malware in HTML, JavaScript and browser code and then launch attacks aimed at unsecured endpoints was one of the reasons why virtual meeting platforms didn’t grow faster before the pandemic. Once an endpoint is compromised, cyberattackers laterally move across an enterprise’s network and launch additional malware attacks or impersonate senior management and defraud the company. 

Cyberattacks growing more sophisticated 

Using GIF images to deliver worm-based attacks across Microsoft Teams into corporate accounts shows how sophisticated these attacks are. Users only had to view the GIF in Teams to have their authtoken cookie data shared with the compromised subdomain. CyberArk’s recent blog post on how cyberattackers successfully used a GIF message to launch a worm-like malware variant through enterprises shows how vulnerable anyone using Teams and Microsoft-based applications can potentially be. 

CyberArk’s post provides a timeline of how Microsoft responded quickly to thwart this type of attack and observed that the cyberattackers could traverse an organization and gain access to confidential, privileged data. Hacking into virtual meetings has become a new way for cyberattackers to gain the benefits of having privileged access credentials without having to steal them first. 

The following graphic illustrates how the GIF-based attack worked.

Cyberattackers’ ingenious use of GIFs to launch a worm-like attack on enterprises via Microsoft Teams shows the level of effort bad actors will make in comprising virtual meeting platforms for gain. Source: CyberArk, Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams

Why remote browser isolation works 

What began as a strategy to secure and create more collaborative virtual meeting platforms simultaneously, Zoom and other platform providers began installing a remote web server on users’ devices. To their credit, Zoom quickly resolved the issue, while Apple pushed a silent update on their systems to block Zoom’s server. Zoom has progressed its security since 2019 and will need to improve, given the high cost of the legal settlement this week. Their timeline reflects the challenges all virtual meeting platforms have in balancing security, speed and responsiveness of user experience while enabling virtual collaboration. Many enterprises initially resisted migrating off their legacy teleconferencing systems, as slow and intuitive as they were, given the security risk for Zoom and other platforms. 

Since the start of the pandemic and continuing now, virtual and hybrid teams are flourishing across all organizations, creating an entirely new series of security risks for virtual meeting sessions. It makes CISOs’ and CIOs’ jobs challenging to support the proliferating variety of personal, unmanaged devices. 

Remote Browser Isolation (RBI)’s growth over the last two years is in response to the needs organizations have to bring a more zero trust security-based approach to all web sessions, regardless of where they are located. Zero trust looks to eliminate dependence on trusted relationships across an enterprise’s tech stack — as any trust gap can be a major liability. As a result, it is an area attracting enterprise cybersecurity providers like Forcepoint, McAfee and Zscaler that have recently added RBI to their offerings, joining RBI pioneers like Ericom and Authentic8. Of these and many other competing vendors in the RBI market, Ericom is the only one to have successfully developed and delivered a scalable solution that meets the demanding technological challenges of securing virtual meetings globally. It has applied for a patent for their innovations in this area. 

RBI is proving out to be a more secure alternative to downloading clients that lack security and can cause software conflicts on endpoints that render them unprotected. RBI works by opening the virtual meeting URL in a remote, isolated container in the cloud. Virtual devices such as a microphone, webcam or  desktop within the container synchronize media streams with endpoint devices.

Only safe rendering data representing isolated users’ media is streamed to participants’ endpoint browsers from the container. Isolated users likewise receive only safe renderings of media originating from other participants. The isolated container is destroyed when an active virtual meeting session ends, including all content within. In addition, policies restrict what users can share in virtual meetings via screen shares and chats. No images, video or audio of meetings is cached in participant’s browsers, so they can’t be retrieved and examined after the meeting or shared. The solution also prevents the malware-enabled illicit recording of sessions.

Taking a zero-trust approach to managing every virtual meeting session reduces the threat surface and breach attempt it can potentially turn into. Ericom's RBI-based Virtual Meeting Isolation shows the potential of using a zero-trust-based approach to protecting virtual meetings.
Taking a zero-trust approach to managing every virtual meeting session reduces the threat surface and breach attempt it can potentially turn into. Ericom’s RBI-based Virtual Meeting Isolation shows the potential of using a zero-trust-based approach to protecting virtual meetings.

Turning a cautionary tale into a proactive strategy

Virtual meetings keep teams collaborating, creating and accomplishing complex tasks together. CIOs and CISOs who enable the underlying virtual meeting technologies must continue to be vigilant about the security risks of virtual meeting platforms’ downloadable clients. Until now, there has not been a reliable way to secure them. While a lesson from the past, Zoom’s decision to load web servers on users’ systems is a cautionary tale every CIO I know still speaks about when virtual meeting platforms come up in conversation. 

RBI has the capability to isolate virtual meetings can alleviate the concerns of CIOs and CISOs who want a solution that can scale across unmanaged devices. Endpoint security has progressed rapidly during the pandemic in parallel with RBI, as organizations adopt a more zero trust-based strategy for protecting every threat surface and reducing enterprise risk. As a result, securing virtual meetings is becoming core to a solid enterprise endpoint security strategy.

Originally appeared on: TheSpuzz