Offensive Security: how we uncovered two Cisco WebEx vulnerabilities

by Tom Wyckhuys

15 January 2021

Man and woman looking at numbers on a computer screen

Offensive security should be part of your defence capabilities

Introduction

When we shifted to distributed working, threat actors were quick to recognize the growing opportunity and potential payoff of exploiting vulnerabilities in collaboration and homeworking software and tools we were becoming increasingly dependent on. As the trend for remote working continues, cybercriminals are persistent in their attempts to disrupt business as usual, steal or damage company information by targeting vulnerable remote users and susceptibilities that exist within homeworking and teleconferencing tools.

Woman working on laptop on a coffee table

As remote working increases, Cybercriminals are targeting vulnerabilities within homeworking and teleconference tools.

Two critical activities are becoming increasingly important to cybersecurity teams who are resource-challenged and struggling to keep on top of new threats and vulnerabilities and should be added to your offensive security repertoire if not already, especially in the era of remote working.

Red Teaming

A Red Team plays the role of a cybercriminal to test what vulnerabilities and risks exist within a given organization’s people, processes, and technology. By enacting attack scenarios, security teams can identify how, with what, and where an organization can be compromised. This is especially critical as businesses adopt new technologies and services that support distributed remote working. It is a new state of operating for IT and Security Teams, certainly not business as usual, and as such, needs stress testing.

The Offensive Security Team at NTT Ltd. in Belgium leverages Red Teaming to help our clients and partners in this exact way. We recently discovered multiple issues within Cisco Webex, which we discuss in detail via our detailed Technical Briefing Document. All issues were zero-day vulnerabilities and officially reported to Cisco.

In the first scenario, called ‘Host Key Session Takeover’ it was uncovered that bad actors invited to a Webex meeting can execute JavaScript code of the participant’s machine. Participants join using the joining details provided. Bad actors can execute a brute-force attack to find the host key within nine minutes and take control of the entire meeting, including any ‘host’ rights from the actual host. Cisco has published an official alert and fix for this vulnerability here.

Colleagues in discussion with a server array in the background

A Red Team plays the role of a cybercriminal, to identify how an organization can be compromised.

In the second scenario, called ‘Open Redirect’, we found an open redirect issue inside the fat client application of Cisco Webex that allows us to bypass a URL validation security control and execute JavaScript in the embedded browser of the fat client providing the attacker with unauthorized access to the affected corporate account. Cisco has published an official alert and fix for this vulnerability here.

If you need any help in understanding or mitigating these vulnerabilities, you can get in touch with our Red Team who will be happy to help.

Threat Intelligence Sharing

At NTT Ltd. we firmly believe that intelligence is power and an increasingly critical part of offensive security strategies. It is impossible for a Security Team to Red Team test every possible scenario, especially considering the workload strain security professionals are already under.

When NTT’s Offensive Security and Digital Forensics and Incident Response Teams identify a threat or vulnerability, like those above, we share the intelligence with our partners and our own Global Threat Intelligence Center, who then publish it for our clients and the broader threat intelligence community. Threat actors are already incredibly good at this and it's part of why they’re so agile and successful.

NTT’s Global Threat Intelligence Center offers two free services that help security teams stay on top of it all:

  • Emerging Threat Advisories provide security professionals with visibility of emerging threats and vulnerabilities identified before or as they are being actively exploited in the wild. This free subscription service is a sample of what our Managed Security Services clients receive directly from Analysts in our Security Operations Centers.
  • In our Monthly Threat Report our Security Analysts share their reflections, insights, and examinations on the key cybersecurity happenings from around the world. They cover a wide range of topics including the latest threats, vulnerabilities, security technologies, patterns, and new methods used by threat actors, as well as industry-related security issues from the past month.

If you need any assistance dealing with the vulnerabilities identified in this article or you would like to start a conversation with NTT Ltd. about our Red Team Services, or Threat Intelligence Capabilities, please don’t hesitate to reach out to us.

Tom Wyckhuys

Tom Wyckhuys

Security Consultant

Nabeel Ahmed

Security Governance Team Leader