Profit-driven cybercriminals breached Cisco systems in May and stole gigabytes of information, but the networking giant says the incident did not impact its business. Cisco on Wednesday released a security incident notice and a technical blog post detailing the breach. The intrusion was detected on May 24, 2022, but the company shared its side of the story now, shortly after the cybercriminals published a list of files allegedly stolen from its systems.
According to Cisco, the attacker targeted one of its employees and only managed to steal files stored in a Box folder associated with that employee’s account, as well as employee authentication data from Active Directory. The company claims the information stored in the Box folder was not sensitive.
For initial access, the attacker targeted the personal Google account of an employee. The hackers obtained the employee’s Cisco credentials via Chrome, which had been configured to sync passwords.
In order to bypass multi-factor authentication (MFA), the attacker used a technique known as MFA fatigue, where they send a high volume of push requests to the target’s mobile device in hopes that they will accept the request either by accident or in an attempt to silence the notifications. The targeted employee also received multiple phone calls over a period of several days, where the caller — claiming to be associated with a support organization — attempted to trick them into handing over information.
The attacker managed to enroll new devices for MFA and authenticated to the Cisco VPN. Once that was achieved, they started dropping remote access and post-exploitation tools. The hackers escalated their privileges, created backdoors for persistence, and moved to other systems in the environment, including Citrix servers and domain controllers.
After the intrusion was detected and the threat actor’s access was terminated, Cisco observed continuous attempts to regain access, but the company says they all failed.
Cisco has attributed the attack to an initial access broker with ties to the threat actor UNC2447, a Russia-linked group known for using FiveHands and HelloKitty ransomware, as well as Lapsus$, the gang that targeted several major companies before its alleged members were identified by law enforcement. The initial access broker has also been linked to the Yanluowang ransomware gang.
In fact, the Yanluowang ransomware group has taken credit for the attack, claiming to have stolen roughly 3,000 files with a total size of 2.8Gb. The file names published by the hackers suggest that they have stolen VPN clients, source code, NDAs and other documents.
Link to Source
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|