Cisco's WebEx Chrome Plugin Will Execute Malicious Code

This week we hear about a New Spear-Phishing Method for Copy-Pasting Military Hardware and how a Cisco's WebEx Chrome Plugin Will Execute Malicious Code.

Malware

Cisco's WebEx Chrome Plugin Will Execute Malicious Code

A vulnerability in these Cisco WebEx browser extensions could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the affected browser on an affected system. This vulnerability affects the browser extensions for Cisco WebEx Meetings Server and Cisco WebEx Centers when they are running on Microsoft Windows. 

The vulnerability is a design defect in an application programing interface (API) response parser within the extension. An attacker that can convince an affected user to visit an attacker-controlled web page or follow an attacker-supplied link with an affected browser could exploit the vulnerability. If successful, the attacker could execute arbitrary code with the privileges of the affected browser. 

References: A Vulnerability in Cisco WebEx | Google Chrome Extension | Critical WebEx Extension Vulnerability Allows Code Execution

 

Mitigation Strategies:

  • Web filtration to prevent users from clicking on malicious websites
  • FIM solution would detect any type of file modification or addition
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management, and advanced anomaly detection.
  • Log management could detect any suspicious user account activity
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code

Breach

New Spear-Phishing Method for Copy-Pasting Military Hardware

Chinese state-sponsored hackers are targeting military and aerospace interests in Russia and Belarus. Since the summer of 2016, a group has begun using a new downloader known as ZeroT, spear-phishing emails to install the PlugX remote access Trojan (RAT), according to security researchers. The group is also using Microsoft Compiled HTML Help (.chm) files to deliver PlugX in spear-phishing emails.

References: Chinese Hackers Switch Tactics for Spying on Russian Jet Makers | Chinese State-Sponsored Cyber Espionage Group Targets Russia with Trojans | China Ramps Up Cyber Spying Against Moscow

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management, and advanced anomaly detection. 
  • E- Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • Netflow traffic may also reveal large data transfers and potential data leakage

This Week's Suspicious IP Addresses

182.100.67.4 188.118.2.26
46.109.168.179 118.170.130.207
81.183.56.217 183.60.48.25

*IP addresses provided by Recorded Future.