Security vendor Huntress has found zero-day vulnerabilities in two leading virtual event platforms, as well as evidence of a breach impacting Axial, an online platform used by channel pros and other SMBs to conduct mergers and acquisitions.
The virtual conference vulnerabilities, which Huntress discovered last fall, impacted the vFairs and GlobalMeet (formerly Webcasts.com) platforms. Both vFairs and Premiere Global Services Inc., which operates GlobalMeet, have corrected the flaws following notification from Huntress.
At present, Huntress says, there is no evidence that attackers used the zero-days to steal information or compromise hosting resources.
6Connex, another major name in virtual conferences, is a GlobalMeet partner potentially affected by that platform’s security gap. Kaseya, SYNNEX, and Tech Data are three of many companies familiar to channel pros that have hosted virtual events on 6Connex in the last year.
A vulnerability at a 6Connex-hosted virtual job fair staged last August by 17 government intelligence agencies including the CIA, Defense Intelligence Agency, and National Security Agency allowed a security researcher to download information on more than 3,000 attendees using his browser’s web page inspect and debug features.
Use of virtual event platforms has skyrocketed since social distancing regulations imposed in response to the coronavirus pandemic made in-person events all but impossible.
The specific flaw found in GlobalMeet was an exposed API endpoint that allowed anyone with the right URL to download “a big data dump of all the users currently watching that presentation or in that room for the virtual conference,” according to John Hammond, a senior security researcher at Huntress.
Data in the download included each user’s name, company, title, email address, and IP address. Cybercriminals could potentially use the email and IP addresses, in particular, to increase the size and accuracy of their attacks.
“The bad guys are stockpiling and accumulating those so they can prepare these massive phishing campaigns and MalSpam campaigns,” Hammond says.
The vFairs vulnerability Huntress uncovered involved a flaw in the event platform’s chat room functionality that let anyone who knew an attendee’s account number modify that user’s profile data.
“You could make that person a completely different name, a completely different job title, company, etc. You could make them Ronald McDonald if you wanted to, and you could change their profile picture,” Hammond says.
That last possibility was especially dangerous, he continues, because a hacker could potentially exploit it to perform a cross-site scripting attack by uploading PHP code instead of a photograph.
In the Axial breach, a Twitter user named “tillie, doer of crime” and since removed from the site claimed to have downloaded over 250,000 “confidential files relating to thousands of business mergers and acquisitions, which will likely reveal many transactions and especially the transaction values from may [sic] M&As, as well as many other so far unknown details about all these businesses and investments.”
Axial, the January 7th post stated, had left a server running Jenkins automation software fully exposed to the web “with no authentication and full access rights granted to anonymous users.”