sso - TrustStrike Labs

threat

2026-05-01

Two new cybercrime crews are calling employees, getting their MFA codes by phone, then stealing data from SaaS apps within hours

CrowdStrike disclosed two cybercrime groups - Cordial Spider and Snarky Spider - running fast SaaS extortion attacks that stay almost entirely inside legitimate SaaS environments. The pattern: call employees pretending to be IT support, walk them through an 'MFA reset' that's actually a credential-harvesting site that mimics their company's branding, capture the password and MFA code, then immediately log into SSO and pivot through Microsoft 365, Salesforce, and other SaaS apps. The attackers register their own device for MFA and exfiltrate data within hours. Both groups overlap with the broader ShinyHunters ecosystem (UNC6240/UNC6661/UNC6671).

cordial-spider snarky-spider crowdstrike mandiant unc6661 unc6671 shinyhunters vishing sso aitm saas-extortion the-com blackfile-overlap

Check: Run a vishing-specific awareness exercise this week. Tell every employee that real IT will never ask them to read out an MFA code over the phone or enter it on a website during a call.
Affected: Organizations with SSO across Microsoft 365, Salesforce, Okta, Google Workspace, or similar SaaS where one set of credentials reaches multiple apps. Acute risk for help-desk-heavy enterprises (financial services, healthcare, large retail) where IT calls feel routine. Any company with a public corporate logo and SSO landing page is in the target pool.
Fix: Make it policy that IT never asks for MFA codes by phone. Require step-up authentication for any MFA registration change. Alert on new MFA device registrations from unfamiliar IPs. In Microsoft 365, monitor for OAuth grants to ToogleBox Recall and similar inbox-rule apps - these were used by Cordial Spider to delete security alerts. Use Mandiant's published IoCs to block known credential-harvesting domains.

vulnerability

CVE-2026-20184 CVE-2026-20180 CVE-2026-20186 CVE-2026-20147

2026-04-15

Cisco Webex SSO flaw lets unauthenticated attackers impersonate any user (CVE-2026-20184) - four critical bugs patched this week

Cisco has patched four critical vulnerabilities this week across Webex and Identity Services Engine (ISE). The standout flaw is CVE-2026-20184 in Cisco Webex Services with SSO integration via Control Hub - it allows an unauthenticated remote attacker to impersonate any user in the service due to incorrect certificate validation in the SSO flow. This is particularly dangerous for organizations using Webex with SAML and centralized identity management. Alongside it: CVE-2026-20180 and CVE-2026-20186 (both CVSS 9.9) affect Cisco ISE and ISE Passive Identity Connector, allowing authenticated attackers with even read-only admin credentials to execute arbitrary commands on the underlying OS and escalate to root. CVE-2026-20147 is a path traversal flaw in the same products. ISE versions before 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches are all affected. No workarounds - only software updates fix these. In single-node ISE deployments, exploitation can also knock the node offline, blocking network access for unauthenticated endpoints.

cisco webex ise sso rce identity critical-vulnerability

Check: If you use Cisco Webex with SSO via Control Hub, treat CVE-2026-20184 as urgent - it's unauthenticated. If you run Cisco ISE for network access control, plan to patch this week.
Affected: Cisco Webex Services configured with SSO integration via Control Hub (CVE-2026-20184, unauthenticated impersonation). Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) versions prior to 3.2, plus 3.2, 3.3, 3.4, and 3.5 branches (CVE-2026-20180, CVE-2026-20186, CVE-2026-20147).
Fix: Apply Cisco's software updates from the April 15 advisories. For ISE, upgrade to the fixed release matching your branch - there are no workarounds. For Webex with SSO, the fix is included in Cisco's latest Control Hub release. If patching is delayed, restrict admin access to ISE management interfaces to trusted IPs only via network-level ACLs - this doesn't fix CVE-2026-20184 but reduces the risk from ISE credential theft to RCE chains. Review Cisco admin account hygiene: read-only credentials are enough to chain to root on unpatched ISE.