April 18, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Funds on Hold – Phishing Attack Targeting Banking Credentials
April 10, 2020
Rewterz Official Statement on the Reported Data Breach of 115M Pakistani Mobile Users
April 11, 2020Rewterz Threat Alert – Funds on Hold – Phishing Attack Targeting Banking Credentials
April 10, 2020Rewterz Official Statement on the Reported Data Breach of 115M Pakistani Mobile Users
April 11, 2020
Severity
High
Analysis Summary
Malicious emails have been detected that look like a “Cisco Security Advisory”. This recycled Cisco security advisory that warns of a critical vulnerability and urges victims to “update,” actually intends to steal victim’s credentials for Cisco’s Webex web conferencing platform. As more and more firms are enabling employees for remote work due to COVID19, online collaboration and conferencing tools like Webex and Zoom are being leveraged for cyber attacks. Among other possible attacks, compromised Webex credentials could also help cyber criminals intrude into web conference calls where sensitive files and data are shared. To legitimize this phishing attack, criminals are not only using Webex related advisories, they are also using spoofed email addresses like meetings@webex[.]com.
The attack uses a real Cisco Security Advisory from December 2016, along with Cisco Webex branding. The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco’s management tool for applications in multiple data-center, private-cloud and public-cloud environments. This critical flaw allowed unauthenticated, remote attackers to install Docker containers with high privileges on affected systems; at the time of disclosure in 2016, it was being exploited in the wild.
The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and points them to a “Join” button to learn more about the “update.” This button leads to a URL strikingly similar to the legitimate Webex URL. The attacker has even obtained an SSL certificate for their fraudulent domain to gain further trust from end users.
Impact
- Credential Theft
- Unauthorized access to confidential information
Indicators of Compromise
Email Subject
Critical Update
Alert!
URL
hxxps[:]//globalpagee-prod-webex[[.]]com/signin
Remediation
- Block the threat indicators.
- Ensure that employees are aware of such phishing attacks impersonating legitimate applications.
- Strictly avoid responding to such emails, as they can be used in future attacks to distribute malware and ransomware.