Security vendor Huntress has found zero-day vulnerabilities in two leading virtual event platforms, as well as evidence of a breach impacting Axial, an online platform used by channel pros and other SMBs to conduct mergers and acquisitions.
The virtual conference vulnerabilities, which Huntress discovered last fall, impacted the vFairs and GlobalMeet (formerly Webcasts.com) platforms. Both vFairs and Premiere Global Services Inc., which operates GlobalMeet, have corrected the flaws following notification from Huntress.
At present, Huntress says, there is no evidence that attackers used the zero-days to steal information or compromise hosting resources.
6Connex, another major name in virtual conferences, is a GlobalMeet partner potentially affected by that platform’s security gap. Kaseya, SYNNEX, and Tech Data are three of many companies familiar to channel pros that have hosted virtual events on 6Connex in the last year.
A vulnerability at a 6Connex-hosted virtual job fair staged last August by 17 government intelligence agencies including the CIA, Defense Intelligence Agency, and National Security Agency allowed a security researcher to download information on more than 3,000 attendees using his browser’s web page inspect and debug features.
Use of virtual event platforms has skyrocketed since social distancing regulations imposed in response to the coronavirus pandemic made in-person events all but impossible.
The specific flaw found in GlobalMeet was an exposed API endpoint that allowed anyone with the right URL to download “a big data dump of all the users currently watching that presentation or in that room for the virtual conference,” according to John Hammond, a senior security researcher at Huntress.
Data in the download included each user’s name, company, title, email address, and IP address. Cybercriminals could potentially use the email and IP addresses, in particular, to increase the size and accuracy of their attacks.
“The bad guys are stockpiling and accumulating those so they can prepare these massive phishing campaigns and MalSpam campaigns,” Hammond says.
The vFairs vulnerability Huntress uncovered involved a flaw in the event platform’s chat room functionality that let anyone who knew an attendee’s account number modify that user’s profile data.
“You could make that person a completely different name, a completely different job title, company, etc. You could make them Ronald McDonald if you wanted to, and you could change their profile picture,” Hammond says.
That last possibility was especially dangerous, he continues, because a hacker could potentially exploit it to perform a cross-site scripting attack by uploading PHP code instead of a photograph.
In the Axial breach, a Twitter user named “tillie, doer of crime” and since removed from the site claimed to have downloaded over 250,000 “confidential files relating to thousands of business mergers and acquisitions, which will likely reveal many transactions and especially the transaction values from may [sic] M&As, as well as many other so far unknown details about all these businesses and investments.”
Axial, the January 7th post stated, had left a server running Jenkins automation software fully exposed to the web “with no authentication and full access rights granted to anonymous users.”
Huntress has not seen the data referenced in the Twitter post, and has no information on whether or not the attacker who claimed to have it has used it or shared it with others. Vendors and channel pros with Axial accounts, the company says, should reset passwords, implement multifactor authentication, and take other precautions just the same.
“Do your tried-and-true security basics,” Hammond advises.
According to Hammond, the GlobalMeet and vFairs vulnerabilities underscore the need for virtual conference vendors to make security as important a priority as functionality by assigning a full-time, permanent team to platform integrity.
“Make that their whole job forever,” he says. “They’re always testing. They’re always doing that QA quality assurance, but for security.”
Companies that stage virtual events on platforms like GlobalMeet and vFairs must take security more seriously as well, Hammond adds, by asking about security policies when evaluating platforms and requesting audit results.
“We can’t always blindly trust this potential solution or potential product that could give us what we want in the moment,” he says.
What virtual event attendees should do going forward to protect themselves from platform vulnerabilities, Huntress concedes, is less clear.
“It’s a tough problem to solve,” says Hammond, noting that since the arrival of COVID-19 last year, virtual events have been essential tools for communication, collaboration, and community-building.
“That’s how we socialize, and there’s value in that,” he says. Using disposable, temporary email addresses and “sock puppet” accounts when registering for virtual conferences isn’t viable either, adds Hammond, who calls vigilance the best available option at present for most channel pros.
“I would encourage them to stay in the know,” he says.