During an internal security testing of the Cisco Meetings Desktop App (Webex), it was discovered that the application has a vulnerability that is due to improper validation of inputs supplied to the application’s URLs which if exploited can allow attacker to cause the Webex application to execute other programs that are already present on the end-user system. This vulnerability affects Cisco Webex Meetings Desktop App releases earlier than Release 39.5.12. However, Cisco has released software updates that address this vulnerability.
The EvilQuest ransomware is discovered to encrypt the user's files as soon as it's executed. Once the file encryption scheme ends, a popup is shown to the user, letting the victim know they've been infected and their files encrypted. Then the victim is directed to open a note in the form of a text file that has been placed on their desktop. After the encryption process ends, the ransomware installs keylogger to record all the user’s keystrokes, open a reverse shell on the target computer so that the attacker can continue to access it and steal sensitive information users enter with the keyboard. Those capabilities could allow attackers "full control over an infected host. EvilQuest appears to be solely distributed through torrenting websites and pirated versions of macOS software. Researchers have found it also bundled in a package called Google Software Update, while others have seen it hidden in pirated versions of DJ app Mixed In Key, Ableton Live and security tool Little Snitch. The malware is also able to see whether a system is running in a virtual machine, whether there are security and antivirus solutions running on the system, and to implement several persistence tricks.
The reported vulnerabilities is said to affect the Cisco Small Business RV110W, RV130, RV130W and RV215W routers, and Cisco Prime License Manager. This vulnerabilities are as a result of the following:
The Active Ransomware Campaign is a well-crafted and sophisticated ransomware attacks said to be a result of weak authentication, non-use of multi-factor authentication, and unpatched software. Once access is gained to a network through a remote access system, tools such as mimikatz, psexec, and Cobalt Strike is used to escalate privileges, move through the network and establish persistence on the network.
These vulnerabilities is due to improper validation of user-supplied input to scripts of the web-based management interface. A malicious attacker possessing administrative privileges sufficient to log in to the web-based management interface can exploit each vulnerability by sending malicious requests to an affected device.
It is confirmed that the vulnerabilities affect the following Cisco Small Business routers and firmware;
ReVoLTE, is an attack that exploits an LTE(Long Term Evolution) implementation flaw(frequently utilization of similar encryption key) to eavesdrop the call between two people, and recover the contents of an encrypted VoLTE call, by using a downlink sniffer to observe and designate the targets calls for decryption of conversations. The threat actors perform this by connecting to the same base station the victim was using, then the attacker place a downlink sniffer to observe and designate the ‘targeted call’ that are produced by the victim as these calls need to be decrypted. Once the threat actors are done with the targeted calls, now the attacker will call the victim, after 10 seconds of the designation. This will then force the unprotected network into starting a new call between victim and attacker on the same base station that is used by the previous targeted call. The threats actors keeps the victim confused and keep them busy in talking while all their conversation is recorded in the plaintext which will help the threat actor to later compute the call.
