Welcome to the latest edition of the Cyber Safe Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, and malware including Ransomware, to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

EvilProxy uses recruitment website open redirect for Microsoft 365 phishing

A recent phishing campaign, EvilProxy, has been targeting senior executives across various industries, with a strong focus on banking, financial services, property management, real estate, and manufacturing sectors. This campaign, active since July, has identified a vulnerability on the popular job listing website indeed.com.

The attackers behind EvilProxy have been using an open redirection vulnerability on indeed.com to carry out their phishing attacks. They cleverly redirect potential victims to a deceptive website that looks like the legitimate Microsoft Online login page. This attack is particularly insidious because the link appears to originate from indeed.com, making it more likely to evade email security filters and entice recipients to click on it.

What happens in the scam?

When unsuspecting users try to log in on this fake Microsoft page, the attackers employ a tool called the EvilProxy AITM (adversary-in-the-middle) kit. This kit allows the attackers to intercept communications between the genuine website and the user, enabling them to steal login credentials and session cookies. The attackers can then use these stolen credentials and cookies to bypass multi-factor authentication, allowing them to impersonate the victim on the actual Microsoft website.

Efforts have been made to inform indeed.com about the website’s vulnerability and attackers’ active exploitation of their platform. This action aims to help prevent further victims from falling prey to this phishing campaign.

Source: https://www.bleepingcomputer.com/news/security/evilproxy-uses-indeedcom-open-redirect-for-microsoft-365-phishing/


Employers need to be on alert as LinkedIn Smart Links leveraged in credential phishing campaign

In a recent phishing campaign, attackers actively seek to compromise Microsoft Office logins. This campaign uses newly created or compromised LinkedIn business accounts to facilitate its deceptive tactics.

Although cyber security experts previously described the attack method, the campaign has seen a resurgence. This campaign has been observed to employ LinkedIn smart links, which were initially introduced by business accounts to track engagement metrics. These Smart Links embedded in emails can bypass various security measures because they leverage the trusted LinkedIn domain.

Here’s how the attack typically unfolds

Victims receive an initial email with a seemingly innocuous subject, which might pertain to documents, security, financial matters, or human resources. This email often appears as a general notification. When recipients click on the embedded link within this email, they are redirected to a phishing page that prompts them to log in using their Microsoft Office credentials.

Notably, this campaign targets various industries, focusing on the Finance and Manufacturing sectors. While these sectors see a higher volume of attacks, it’s important to highlight that the campaign appears to be more of a blanket attack than a direct assault on any specific business or sector. The primary goal of this campaign is to gather as many login credentials as possible by exploiting LinkedIn business accounts and utilising Smart Links to execute the phishing attack.

Source: https://cybernews.com/security/linkedin-smart-links-phishing-campaign/


Threat Actors Exploiting recently discovered Zero-Day Vulnerability

Threat actors exploit a recently discovered zero-day vulnerability (CVE-2023-20198) in Cisco’s IOS XE Web UI feature. This vulnerability affects devices exposed to HTTP/HTTPS server functionality when connected to the internet or untrusted networks. Zero-day vulnerabilities appeal to malicious actors because they are unknown to software developers, making them highly effective for launching attacks and bypassing security measures.

The Cisco IOS XE Web UI is a graphical user interface-based system administration application that simplifies system management without requiring additional installation or licensing. However, exposing the Web UI to the internet or unreliable networks is strongly discouraged due to potential security risks.

Cisco detected suspicious activity on a customer device starting September 18 and confirmed related behaviour by September 28. This activity involved the creation of a ‘cisco_tac_admin’ account from an unusual IP address (5.149.249[.]74) and ceased on October 1, with no further related behaviour observed.

On October 12, Cisco Talos Incident Response (Talos IR) and TAC identified a cluster of related activities. An unauthorised user created a ‘cisco_support’ account from IP address 154.53.56[.]231. This activity included deploying an implant (‘cisco_service.conf’) to establish a new web server endpoint for command execution at the system or IOS level. While the implant is not persistent, it does create administrator-level user accounts.

The severity of CVE-2023-20198 is critical, with a CVSS score of 10 granting full admin access to the router, potentially allowing an attacker to carry out unauthorised activities. The actor exploited CVE-2021-1435 to install the implant, even on fully patched devices. The implant, coded in Lua with just 29 lines, enables arbitrary command execution.

Organisations potentially affected are advised to check for unusual users and run a specified command to detect the implant. It’s essential to remain vigilant and apply cyber security measures to protect against this threat.

Source: https://cybersecuritynews.com/cisco-ios-xe-zero-day-vulnerability/


Contact Neuways to help your business become

Cyber Safe

If you need any assistance with cyber security assistance, then please contact Neuways and we will help you where we can. Just get in touch with our team today.