Attackers Host Phishing Pages on Azure

Researchers have recently seen phishing attacks against Office 365 users wherein fake log-in pages were hosted on Microsoft Azure to give them more credibility.

According to researchers from security firm EdgeWave, the rogue emails claim to be from Microsoft’s Outlook or Facebook’s Workplace services and inform recipients that they have unread notifications or that their account information is outdated.

Once they click on the included link, users are taken to an Outlook or Microsoft account phishing page hosted on a windows.net subdomain. The windows.net domain is part of the Microsoft Azure Blob Storage service and is used to serve resources uploaded by customers.

All windows.net subdomains are HTTPS-enabled and use a wildcard SSL certificate issued by Microsoft. This makes the phishing pages look even more credible for users, since they are served over a secure connection from a domain that is owned by Microsoft and not blacklisted by network firewalls or security solutions.

“We always advise that users should closely examining phishing landing page URLs for suspicious names or domains, but utilizing Azure Blog Storage and thus a windows.net domain makes this advice not as worthwhile,” the EdgeWave researchers said in their report. “For Microsoft accounts and Outlook.com logins, it is important to remember that the login forms will be coming from microsoft.com, live.com, and outlook.com domains.”

The use of a fake Microsoft login page to phish Facebook Workplace users is a bit strange, especially since Facebook’s service is not that widely used in the first place. But that could be an attempt by attackers to expand their pool of victims without too much effort.

Office 365 users have been the target of phishing attacks for years, which is why it can be very useful for companies to train employees on how to spot phishing pages and to raise awareness about such threats.

Cisco Fixes Critical Remote Code Execution in Small-Business Routers

Cisco has released firmware patches for several models of small-business routers to fix a critical vulnerability in their web-based management interfaces that could allow attackers to compromise the devices.

The vulnerability is tracked as CVE-2019-1663 and affects the Cisco RV110W Wireless-N VPN Firewall, the Cisco RV130W Wireless-N Multifunction VPN Router and the Cisco RV215W Wireless-N VPN Router.

“An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device,” Cisco said in its advisory. “A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.”

By default, the web-based management interface of these devices is only accessible through the LAN interface. However, users can expose it to the internet if they turn on the remote management feature. Customers are advised to check if the remote management feature is enabled on their devices and to upgrade them to firmware version 1.2.2.1 for RV110W, 1.0.3.45 for RV130W and 1.3.1.1 for RV215W.

The company also patched a high-risk privilege escalation flaw in the Webex Meetings Desktop App and the Cisco Webex Productivity Tools for Windows. The flaw could allow a local attacker to invoke the update service with a certain parameter and achieve code execution as the SYSTEM user.

The flaw was fixed in the Cisco Webex Meetings Desktop App 33.6.6 and 33.9.1 releases and in the Cisco Webex Productivity Tools release 33.0.7. The Cisco advisory contains instructions on how administrators can deploy updates to the entire user base.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin