Cisco “critical security advisory” part of a phishing campaign ?
Amidst the coronavirus pandemic, there is an influx of telecommuters who, have come to heavily depend on online conferencing tools like Webex, Zoom and a few others.
With this rise in online meetings and ongoing phishing campaign is affecting more and more users with a recycled Cisco security advisory that cautions of a critical vulnerability and further urges the victims to “update,” with the sole aim to steal their credentials for Cisco’s Webex web conferencing platform.
Ashley Tran in a recent analysis said with Cofense’s phishing defense center stated, “Targeting users of teleconferencing brands is nothing new, but with most organizations adhering to guidelines that non-essential workers stay home, the rapid influx of remote workers is prime picking for attackers trying to spoof brands like WebEx. We anticipate there will continue to be an increase in remote work phishing in the months to come.”
Researchers are of the view that phishing emails are being sent with various ‘attention-grabbing subject lines’, for example, “Critical Update” or “Alert!” and originate from the spoofed email address, “meetings@webex[.]Com”.
They said to Threatpost, this was a mass “spray and pray” phishing campaign with “numerous end-users” accepting and reporting the email from a few several industries, including the healthcare and financial ones. The body of the email installs content from a real Cisco Security Advisory from December 2016, alongside Cisco Webex branding.
The advisory is for CVE-2016-9223, a legitimate vulnerability in CloudCenter Orchestrator Docker Engine, which is Cisco’s management tool for applications in numerous data-center, private-cloud and open cloud environments.
This critical flaw permitted unauthenticated, remote attackers to install Docker containers with high benefits on the influenced system; at the hour of disclosure in 2016, it was being exploited extensively. Notwithstanding, the vulnerability was fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch discharge (likewise in 2016).
The email tells victims, “To fix this error, we recommend that you update the version of Cisco Meetings Desktop App for Windows” and directs them to a “Join” button to become familiar with the “update.”
The attackers behind this campaign focus explicitly on the details, right down to the URL linked to the “Join” button. On the off chance that cautious email beneficiaries hover over the button to check the URL, they’ll discover the URL [hxxps://globalpagee-goad webex[.]com/signin] to be strikingly like the authentic Cisco WebEx URL [hxxps://globalpage-prod[.]webex[.]com/signin].
Victims who click on the “Join” button are then diverted onto the phishing landing page, which is identical to the real Cisco WebEx login page.
Researchers said that there is one tiny difference is that when email addresses are typed into the authentic Webex page, entries are checked to confirm if there are associated accounts. On the phishing page, in the meantime, any email format entry takes the beneficiary straightforwardly to the following page to request a password.
Researchers, therefore, caution users to remain on the watch for bad actors ‘spoofing’ web conferencing and virtual collaboration applications on the grounds that in general.
The attackers are exploiting the frenzy around the coronavirus with phishing messages and emails around financial relied, guarantees of a cure and symptom data subtleties thus the users are advised to be on the lookout.