Cyber Crime

Fake Cisco ‘Critical Update’ used in phishing campaign to steal WebEx credentials

Crooks are using a fake Cisco “critical security advisory” in a new phishing campaign aimed at stealing victims’ Webex credentials.

The Cofense’s phishing defense center has uncovered an ongoing phishing campaign that uses a Cisco security advisory related to a critical vulnerability as a lure. The phishing messages urge victims to install the “update,” but it is a malware designed credentials for Cisco’s Webex web conferencing platform.

Threat actors use this bait because attempt to take advantage of Coronavirus pandemic that forced most of the companies to adopt the smart-working.

The number of users for video conferencing applications like Zoom and Webex is spiked in recent weeks. Crooks attempt to steal Webex credentials to access web conference calls and steal sensitive files and data shared by participants.

The Cofense Phishing Defense Center  (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch.” said Ashley Tran with Cofense’s phishing defense center.

“Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.”

The messages used in this campaign used varying subject lines such as “Critical Update” or “Alert!”, they are sent from the spoofed address “meetings[@]webex[.]com”.

The content of the email states “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and points them to a “Join” button to learn more about the “update.”

The messages link the legitimate advisory for the CVE-2016-9223 vulnerability:

hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223

The vulnerability is a critical privilege escalation issue in Cisco CloudCenter Orchestrator systems that has been exploited in cyber attacks.

The Cisco CloudCenter is a hybrid cloud management platform composed of a CloudCenter Manager and CloudCenter Orchestrator. The CloudCenter Manager is the interface utilized by users and administrators, while the CloudCenter Orchestrator allows admins to model, deploy and manage new and existing applications.

An unauthenticated attacker can remotely install malicious Docker containers with high privileges by exploiting a vulnerability in the Docker Engine configuration.

The phishing campaign hit numerous end-users from several industries, including healthcare and finance.

The attackers registered a fraudulent domain through Public Domain Registry a few days before sending out the phishing messages.

They also obtained an SSL certificate for this domain to trick victims that it is a legitimate domain, but experts pointed out that while the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited.

Upon clicking on the “Join” button in the email, users are redirected to the phishing landing page, which is a clone of the legitimate Cisco WebEx login page. Experts noticed that the fake login page, unlike the original one, doesn’t check that email addresses are associated with existing accounts.

The fraudulent domain used in this campaign is still up and running.

“With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions.” concludes the experts.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Webex, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.