Fake Cisco ‘Critical Update’ used in phishing campaign to steal WebEx credentials

Crooks are using a fake Cisco “critical security advisory” in a new phishing campaign aimed at stealing victims’ Webex credentials.

The Cofense’s phishing defense center has uncovered an ongoing phishing campaign that uses a Cisco security advisory related to a critical vulnerability as a lure. The phishing messages urge victims to install the “update,” but it is a malware designed credentials for Cisco’s Webex web conferencing platform.

Threat actors use this bait because attempt to take advantage of Coronavirus pandemic that forced most of the companies to adopt the smart-working.

The number of users for video conferencing applications like Zoom and Webex is spiked in recent weeks. Crooks attempt to steal Webex credentials to access web conference calls and steal sensitive files and data shared by participants.

“The Cofense Phishing Defense Center  (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch.” said Ashley Tran with Cofense’s phishing defense center.

“Targeting users of teleconferencing brands is nothing new. But with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue be an increase in remote work phishing in the months to come.”

The messages used in this campaign used varying subject lines such as “Critical Update” or “Alert!”, they are sent from the spoofed address “meetings[@]webex[.]com”.

The content of the email states “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and points them to a “Join” button to learn more about the “update.”

The messages link the legitimate advisory for the CVE-2016-9223 vulnerability:

hxxps://cve[.]mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2016-9223

The vulnerability is a critical privilege escalation issue in Cisco CloudCenter Orchestrator systems that has been exploited in cyber attacks.

The Cisco CloudCenter is a hybrid cloud management platform composed of a CloudCenter Manager and CloudCenter Orchestrator. The CloudCenter Manager is the interface utilized by users and administrators, while the CloudCenter Orchestrator allows admins to model, deploy and manage new and existing applications.

An unauthenticated attacker can remotely install malicious Docker containers with high privileges by exploiting a vulnerability in the Docker Engine configuration.

The phishing campaign hit numerous end-users from several industries, including healthcare and finance.

The attackers registered a fraudulent domain through Public Domain Registry a few days before sending out the phishing messages.

They also obtained an SSL certificate for this domain to trick victims that it is a legitimate domain, but experts pointed out that while the official Cisco certificate is verified by HydrantID, the attacker’s certificate is through Sectigo Limited.

Upon clicking on the “Join” button in the email, users are redirected to the phishing landing page, which is a clone of the legitimate Cisco WebEx login page. Experts noticed that the fake login page, unlike the original one, doesn’t check that email addresses are associated with existing accounts.

The fraudulent domain used in this campaign is still up and running.

“With many organizations quickly adopting remote working policies, threat actors are poised to continue to spoof brands that facilitate virtual collaboration and communication, such as teleconferencing tools and cloud solutions.” concludes the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Webex, Coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]