Due to the pandemic world rushed to take the business to the cloud. When organizations increasingly rely on virtual events and conferences, no surprise those looking for quick rewards are tiring to find and vulnerabilities in event platforms. These are frequented by the top Fortune 500 companies and this presents hackers with a lucrative resource for harvesting personal and corporate information.
Researchers at Huntress, an information technology company providing threat detection and cybersecurity intelligence, have uncovered zero-day vulnerabilities and misconfiguration flaws in two of the top five virtual event platforms: VFairs and webcasts.com (which impacted its customer 6Connex among others).
Among the issues found by Huntress are the possibility of direct access to databases, personally identifiable information leakage, and potential remote code execution.
“At this point, we can’t predict whether the information was actively stolen or compromised by attackers or unauthorized users,” Huntress Senior Security Researcher John Hammond wrote in a blog post.
But Hammond believes it was possible. Therefore, we can assume these vulnerabilities are present in other online conferencing platforms as well. As an example, Hammond reminds about a virtual job fair hosted on the 6Connex platform last fall that exposed job seekers’ identities and social profiles.
At the time, Huntress reported its findings to VFairs and 6Connex and both platforms have since released hotfixes for the vulnerabilities.
In the recent announcement, the security firm also reported a large business supply chain leak of over 250,000 confidential details about SMB mergers and acquisitions, financing, etc.
“A huge amount of sensitive and confidential financing information was leaked from Axial, a platform for buying, selling, advising and financing private companies — all due to neglect of basic security measures,” Hammond wrote.
Companies that may suffer from the vulnerabilities reported by Huntress range from large US government organizations to the giants. VFairs, for example, counts Ford, T-Mobile, IEEE, Pearson among its customers. And Huntress determined many companies and organizations that use webcasts.com to host virtual events from the US Food & Drug Administration and the National Medicare Secondary Payer Network to Google.
Huntress advises taking these revelations as an opportunity “to step back and consider if we truly care about security.” They believe these vulnerabilities show just how important is proactive threat hunting to stay ahead of bad actors.
“If it weren’t for our team’s poking and prodding and responsibly disclosing these security flaws to their vendors, any ill-intended attacker could have exploited these vulnerabilities and the fallout could have been disastrous. The good guys need to step in before the bad guys do.”
