Malicious emails have been detected that look like a “Cisco Security Advisory”. This recycled Cisco security advisory that warns of a critical vulnerability and urges victims to “update,” actually intends to steal victim’s credentials for Cisco’s Webex web conferencing platform. As more and more firms are enabling employees for remote work due to COVID19, online collaboration and conferencing tools like Webex and Zoom are being leveraged for cyber attacks. Among other possible attacks, compromised Webex credentials could also help cyber criminals intrude into web conference calls where sensitive files and data are shared. To legitimize this phishing attack, criminals are not only using Webex related advisories, they are also using spoofed email addresses like meetings@webex[.]com.
The attack uses a real Cisco Security Advisory from December 2016, along with Cisco Webex branding. The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco’s management tool for applications in multiple data-center, private-cloud and public-cloud environments. This critical flaw allowed unauthenticated, remote attackers to install Docker containers with high privileges on affected systems; at the time of disclosure in 2016, it was being exploited in the wild.
The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and points them to a “Join” button to learn more about the “update.” This button leads to a URL strikingly similar to the legitimate Webex URL. The attacker has even obtained an SSL certificate for their fraudulent domain to gain further trust from end users.