Cybercriminals breached Cisco Systems and stole non-sensitive data
Profit-driven cybercriminals breached Cisco systems in May and stole gigabytes of information, but the networking giant says the incident did not impact its business.
Cisco on Wednesday released a security incident notice and a technical blog post detailing the breach. The intrusion was detected on May 24, but the company shared its side of the story now, shortly after the cybercriminals published a list of files allegedly stolen from its systems.
According to Cisco, the attacker targeted one of its employees and only managed to steal files stored in a Box folder associated with that employee’s account, as well as employee authentication data from Active Directory. The company claims the information stored in the Box folder was not sensitive.
For initial access, the attacker targeted the personal Google account of an employee. The hackers obtained the employee’s Cisco credentials via Chrome, which had been configured to sync passwords.
In order to bypass multi-factor authentication (MFA), the attacker used a technique known as MFA fatigue, where they send a high volume of push requests to the target’s mobile device in hopes that they will accept the request either by accident or in an attempt to silence the notifications. The targeted employee also received multiple phone calls over a period of several days, where the caller — claiming to be associated with a support organization — attempted to trick them into handing over information.
The attacker managed to enroll new devices for MFA and authenticated to the Cisco VPN. Once that was achieved, they started dropping remote access and post-exploitation tools. The hackers escalated their privileges, created backdoors for persistence, and moved to other systems in the environment, including Citrix servers and domain controllers.
After the intrusion was detected and the threat actor’s access was terminated, Cisco observed continuous attempts to regain access, but the company says they all failed.
Cisco has attributed the attack to an initial access broker with ties to the threat actor UNC2447, a Russia-linked group known for using FiveHands and HelloKitty ransomware, as well as Lapsus$, the gang that targeted several major companies before its alleged members were identified by law enforcement. The initial access broker has also been linked to the Yanluowang ransomware gang.
In fact, the Yanluowang ransomware group has taken credit for the attack, claiming to have stolen roughly 3,000 files with a total size of 2.8Gb. The file names published by the hackers suggest that they have stolen VPN clients, source code, NDAs and other documents.
“Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations,” Cisco said.
File-encrypting ransomware was not deployed in the attack. The threat actor did send emails to Cisco executives after being removed from its systems, but it “did not make any specific threats or extortion demands”.
Symantec first wrote about the Yanluowang ransomware in October 2021, when the malware appeared to be in development. A few weeks later, the company reported seeing the ransomware being used to targeted financial corporations in the United States.