Mitigating ELUSIVE COMET Zoom Remote Control Attacks: A Guide to Protecting Your Organization
In the ever-evolving landscape of cybersecurity threats, organizations must stay vigilant against sophisticated social engineering attacks that target operational security vulnerabilities. Recently, our CEO encountered an invitation from "Bloomberg Crypto" that appeared to be a legitimate media opportunity but was actually a phishing attempt by ELUSIVE COMET, a threat actor responsible for millions in cryptocurrency theft. This article details our encounter with ELUSIVE COMET, explains their attack methodology targeting the Zoom remote control feature, and provides concrete defensive measures organizations can implement to protect themselves.
The ELUSIVE COMET Threat Actor: A Sophisticated Social Engineering Campaign
ELUSIVE COMET's attack methodology mirrors the techniques behind the recent $1.5 billion Bybit hack in February, where attackers manipulated legitimate workflows rather than exploiting code vulnerabilities. This reinforces our perspective that the blockchain industry has entered the era of operational security failures, where human-centric attacks now pose greater risks than technical vulnerabilities.
The ELUSIVE COMET campaign succeeds through a sophisticated blend of social proof, time pressure, and interface manipulation that exploits normal business workflows. By using Calendly booking pages to schedule fake Bloomberg interviews and meeting invites from "Bloomberg Crypto," the attackers exploit the permission dialog's similarity to other harmless Zoom notifications.
Why This Attack Succeeds (Even Against Security Professionals)
The ELUSIVE COMET campaign succeeds by targeting operational security boundaries rather than technical vulnerabilities. Our encounter with ELUSIVE COMET reinforces our belief in defense-in-depth strategies that address both technical and operational security domains. By implementing multiple layers of protection, organizations can significantly reduce their exposure to this specific attack vector while maintaining business functionality.
Defending Against the Zoom Remote Control Feature Attack Vector
The Zoom remote control feature is a legitimate function that allows meeting participants to control another user's computer with permission. However, this feature poses a significant risk when exploited by social engineering attacks like ELUSIVE COMET's. To protect your organization from this attack vector, we recommend implementing the following measures:
- Privacy Preferences Policy Control (PPPC) profiles: These profiles provide the strongest protection by preventing Zoom from requesting or receiving accessibility permissions at the macOS system level.
- TCC database monitoring: This approach offers unique security advantages beyond what PPPC profiles alone provide. By methodically cleaning up existing accessibility authorizations that could be exploited, organizations can prevent ELUSIVE COMET's attack vector from succeeding.
- Remove Zoom from systems: For organizations handling particularly sensitive data or cryptocurrency transactions, the risk reduction from eliminating the Zoom client entirely often outweighs the minor inconvenience of using browser-based alternatives.
A Multilayered Defense Approach to Protecting Your Organization
The ELUSIVE COMET campaign represents the continuing evolution of threats targeting operational security rather than technical vulnerabilities. By implementing a multilayered defense approach that combines technical controls with operational security awareness, organizations can significantly reduce their exposure to this specific attack vector while maintaining business functionality.
More importantly, this case study demonstrates the critical importance of combining technical controls with operational security awareness in defending against modern threats. If your organization handles sensitive data or manages cryptocurrency transactions, our security engineers can help you develop a tailored threat model that addresses both traditional vulnerabilities and operational security boundaries.
Contact Us to Learn More
Don't let ELUSIVE COMET's attack methodology catch you off guard. Contact us today to learn more about how to protect your organization against this specific threat vector and other human-centric attacks targeting operational security vulnerabilities.