2017 Cisco WebEx flaw increasingly leveraged by attackers, phishing campaigns rise

Network attacks targeting a vulnerability in the Cisco Webex Chrome extension have increased dramatically. In fact, they were the second-most common network attack, according to WatchGuard Technologies latest Internet Security Report for the last quarter of 2018.

The vulnerability was first disclosed and patched in 2017 and attacks were almost non-existent in early 2018, but WatchGuard detections grew by over 7,000 percent from Q3 to Q4.

Phishing campaigns

The report also shows that phishing campaigns saw a dangerous increase in sophistication, with new attacks using advanced methods including threatening to release recordings of users visiting adult content online, customising emails for specific targets and creating fake banking login web pages.

Based on data from tens of thousands of active WatchGuard Firebox appliances around the world, a new sextortion phishing attack was the second-most common attack detected in Q4 2018. It accounted for almost half of the unique malware hashes detected, because the email phishing message is tailored to each recipient.

The message claims the sender has infected the victim’s computer with a trojan and recorded them visiting adult websites, threatening to send these compromising images to their email contacts unless they pay a ransom.

“There was a noticeable increase in advanced phishing attacks targeting high-value information,” said Corey Nachreiner, CTO at WatchGuard Technologies.

“Now more than ever, it’s vital for businesses to take the layered approach to security and deploy solutions that offer DNS-level filtering designed to detect and block potentially dangerous connections and automatically refer employees to resources that bolster phishing awareness and prevention. A combination of security controls and human training will help businesses avoid becoming hooked by phishing attacks.”

Other top findings from the report

• 16.5 percent of all Fireboxes were targeted by CoinHive cryptominer – The most widespread malware variant in Q4 came from the popular CoinHive cryptominer family, showing that cryptomining remains a popular attack type. Two of the top ten most common pieces of malware detected were also cryptominers.
• A major phishing attack leverages a fake bank page – Another widespread piece of malware in Q4 sent a phishing email with a fake, but highly realistic Wells Fargo login page to capture victim emails and passwords. Overall, WatchGuard saw a rise in sophisticated phishing attacks targeting banking credentials.
• One ISP’s filtering error routed Google traffic through Russia and China for 74 minutes – The report includes a technical analysis of a Border Gateway Protocol (BGP) hijack in November 2018 that inadvertently sent most of Google’s traffic through Russia and China for a short time. WatchGuard found that a Nigerian ISP called MainOne made a mistake in their routing filters, which then spread to Russian and Chinese ISPs and caused much of Google’s traffic to be routed through these ISPs unnecessarily. This accidental hijack highlights the underlying insecure standards that the internet is based on. A sophisticated attack targeting these flaws could have potentially catastrophic consequences.
• Network attacks rise after historic lows in mid-2018 – Network attacks rose 46 percent by volume and 167 percent in terms of unique signature hits in Q4 compared to Q3 2018. This follows a trend seen in previous years with attacks ramping up during the holiday season.