VPNs, RBI Are No Longer Enough: Zoombombings Reveal Need for New Session-Based Approach to Browsing Security

In April of this year, Zoom paid out an $85 million dollar settlement to users of its platform who’d fallen victim to “Zoombombing” (a.k.a. virtual meeting hijacking) —  a novel type of cyberattack in which malicious actors launch malware and account takeover attempts via chat within virtual meeting platforms such as Zoom. .

But, Zoom is far from alone in these types of attacks. Earlier this year, researchers at Avanan security uncovered a campaign in which malicious actors targeted Microsoft Teams users with malicious files aimed at system takeover — yet another high-profile instance of virtual meeting hijacking that set off alarm bells throughout the security community. However, it would be disingenuous to suggest either of these developments have come as a surprise.  

On the contrary, security professionals had been worried about these types of vulnerabilities long before Zoom became a household name. But still, even now that those concerns have become a reality, the vast majority of organizations remain vulnerable to these types of attacks — as VPNs and even remote browser isolation (RBI) aren’t enough to guarantee protection against these novel types of attacks.

Concerns Around New Attack Vectors Have Loomed Large for Years

In a recent report for VentureBeat, Louis Columbus explains that many CISOs had been reluctant to adopt virtual meeting technologies for quite some time prior to the pandemic, due in large part to precisely the kinds of security issues we’re seeing today. In fact, it seems many CISOs had successfully resisted their use in enterprise settings until the pandemic made these tools all but necessary for companies’ survival. 

“The potential for cyberattackers to hide malware in HTML, JavaScript and browser code and then launch attacks aimed at unsecured endpoints was one of the reasons why virtual meeting platforms didn’t grow faster before the pandemic,”  Columbus writes. “Once an endpoint is compromised, cyberattackers laterally move across an enterprise’s network and launch additional malware attacks or impersonate senior management and defraud the company.”

And, now, with the latest Teams-based attacks, those concerns have become reality, bringing this vector back to the forefront of many a CISO’s mind. According to a detailed analysis of the attack from Avanan, the Teams hackers used executable files sent via Teams chat that, once downloaded, would install DLL files and create shortcut links to self-administer. With this novel strategy, malicious actors are able to use virtual meetings to gain remote access of workstations without the cumbersome process of credential theft.

New Flood of Unsecured Endpoints Demands New Session-Based Approach to Browsing Security

The web session has become the modern office worker’s primary means of accessing both cloud and on-prem applications. It’s the modern enterprise employee’s gateway to the digital world — and yet, most prevailing security solutions fail to address the full breadth of today’s web browsing attack surface. 

Today’s IT administrators are faced with a growing number of untrusted connections, coming from a multiplicity of often undersecured, over-provisioned devices. That’s a daunting task, but to make matters worse, they must secure all of these connections without causing undue disruption to workplace productivity, or causing friction for end-users — whose capacity for non-compliance and shadow IT appears to be growing in lockstep with the number of cumbersome endpoint agents they’re saddled with. 

VPNs are not enough, and even remote browser isolation comes up short at attempting to protect every mobile or web session from malware, malicious files, or credentialing attacks. From encrypted traffic they’re unable to inspect, to advanced techniques capable of bypassing both, VPNs and RBI are far from impervious. More importantly, there are many platforms that simply aren’t compatible with isolation, with Zoom being a prime example. 

Add to that the fact that neither security solution is truly compatible with mobile — and both remain susceptible to work-arounds by end-users frustrated by latency and other disruptions to the user experience — and it becomes glaringly apparent that organizations need a new approach altogether to browsing security.

Red Access Delivers Frictionless, Agentless Security For Every Web Session

This is why my partner Tal Dery and I founded Red Access — the first SaaS-based, agentless secure browsing solution to secure every web session, no matter where it originates. Red Access offers a more robust, less cumbersome alternative to bolting on yet another endpoint agent that lacks security and can cause software conflicts that render endpoints unprotected. 

And, unlike remote browser isolation (RBI), Red Access provides complete coverage against the latest file, identity, and data-driven threats — including ransomware, Zoombombing, and other novel threats — without causing latency or otherwise compromising the end-user experience. In the age of shadow IT, it’s important for CISOs to remember that a security solution will only work if your employees actually use them, rather than try to work around them.

That’s why the most effective security solutions are invariably those that are invisible to the end user. With Red Access, your organization benefits from the most advanced, multi-layered cloud and endpoint inspection, without employees even realizing it’s there. 

Ready to see Red Access in action? Start your free trial today.