Ghosts in the Webex

In this week’s threat report, we’re covering how threat actors are targeting work-from-home employees and the race for the cure.

Targeting the cure

Microsoft detected cyberattacks from North Korean and Russian state-sponsored APTs on seven well-known companies involved in COVID-19 vaccine research and treatments.

Known as Strontium (aka Fancy Bear, APT28), the Russian group has employed password spraying and brute-force login attempts to obtain login credentials, break into victim accounts, and steal sensitive information.

The first North Korean group, known as Zinc (or the Lazarus Group), has primarily relied on spear-phishing email campaigns by sending messages with fabricated job descriptions, pretending to be recruiters, and targeting employees working at the targeted companies.

The second North Korean threat actor, known as Cerium, appears to be a new group. Microsoft says Cerium engaged in spear-phishing attacks with email lures using COVID-19 themes while pretending to be representatives from the World Health Organization.

Cybercriminals target pharmaceutical and health employees with phishing and malware campaigns tailored to take advantage of potential security vulnerabilities in smartphones and tablets.

Pharmaceuticals is an extremely high-profile target right now, as drug companies attempt to develop a vaccine for COVID-19. There have already been several recorded instances of nation-state-backed hacking campaigns attempting to steal intellectual property from medical research institutions.

According to researchers at Lookout, there has been a spike in mobile phishing attacks targeting pharmaceutical employees as cybercriminals attempt to access sensitive data.

According to the report, one of the reasons for the rise in attacks targeting mobile devices is the shift to remote working due to the COVID-19 pandemic, as employees suddenly became more reliant on mobile devices to be productive while working from home.

One potential target is the meeting software on your phone.

Ghosts in the Webex

Zoom isn’t the only one with security issues. Three vulnerabilities in Cisco’s Webex video conferencing app allow attackers to sneak in and join Webex meetings as ghost users, invisible to other participants.

The vulnerabilities were discovered earlier this year by security researchers from IBM, who conducted a review of remote working tools the tech software giant was using internally during the COVID-19 pandemic.

Attackers who gained access to a meeting URL can connect to a Webex server, send malformed packets, and manipulate the server into gaining access to meetings and participants’ details.

IBM researchers demonstrated the ghost attendee issue on macOS, Windows, and the iOS version of Webex Meetings applications and Webex Room Kit appliance. According to the report, the following is possible:

• Join a Webex meeting as a ghost user, invisible to others on the participant list, but with full access to audio, video, chats, and screen sharing. (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r)
• Remain in a Webex meeting as a ghost audio user even after being expelled from it. (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG)
• Obtain information on meeting participants, such as full names, email addresses, and IP addresses. This information could also be obtained from the meeting room lobby, even before the attacker was admitted to a call. (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4)

Cicada targeted MSPs with ZeroLogon

Researchers warn about a campaign by Cicada (aka also tracked as APT10, Stone Panda, and Cloud Hopper) using the recently disclosed ZeroLogon vulnerability.

Symantec researchers revealed that the group targeted managed service providers (MSPs), pharmaceutical companies, automotive companies, and engineering firms.

Cicada’s latest campaign was active for one year, starting in October 2019 and ending October 2020.

New in their arsenal is a ZeroLogon exploit (CVE-2020-1472) to escalate privileges. If you’re not familiar with ZeroLogon, we previously covered in an earlier threat report.

Cicada is focused on the theft of information and cyberespionage. Data of interest includes corporate records, HR documents, meeting memos, and expense information. For sure, they would be interested in the Cisco Webex vulnerability to access sensitive info discussed in meetings.

“The amount of time the attackers spent on the networks of victims varied, with the attackers spending a significant amount of time on the networks of some victims, while spending just days on other victim networks,” Symantec says. “In some cases, too, the attackers spent some time on a network but then the activity would cease, but start again some months later.”

Symantec’s confidence in attribution to Cicada is a “medium” due to clues in how code is obfuscated, the use of DLL side-loading, as well as DLL names including “FuckYouAnti,” which has been previously documented in a Cylance report.

“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous,” Symantec says. “Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor […] show that it continues to evolve its tools and tactics to actively target its victims.”

• Paul

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Ransomware hits video game developers