Cisco confirmed that hackers stole certain files during the campaign, though the company claims the hijacked data was not sensitive. The responsible actors leaked the stolen data onto the dark web on Wednesday, August 10, 2022.
‘Pre-Ransomware Activity’ in the Cisco Breach
The IT and cybersecurity giant first observed the malicious activity in late May. Subsequently, Cisco’s security team removed the threat actor from its corporate VPN. Following removal, the threat actor tried unsuccessfully to regain access to the network, the company said. They also made several attempts to communicate with Cisco executives via email, demanding payment in return for the stolen information. “While we did not observe ransomware deployment in this attack, the [tactics, techniques, and procedures] TTPs used were consistent with ‘pre-ransomware activity,’ activity commonly observed leading up to the deployment of ransomware in victim environments,” Cisco stated. Based on its analysis of the incident, Cisco has “moderate to high confidence” that the responsible actor has ties to the Lapsus$ and Yanluowang ransomware gangs. The latter added Cisco to its leak site:
Stolen Credentials, Social Engineering Used to Breach Network
Cisco said the threat actors gained access to its corporate VPN by stealing an employee’s credentials. The attackers compromised the employee’s personal Google account and stole Cisco credentials through their Google Chrome browser. However, this was only the first step. Most corporate networks, including Cisco, deploy multi-factor authentication (MFA) for network access. The attacker tried various techniques, such as voice phishing (vishing) and “MFA fatigue” to bypass this. In the latter, the attacker triggers a high volume of push requests to the user’s device in the hope that the user accepts the prompt. “In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user,” Cisco’s blog reads. After gaining access, the attacker enrolled a number of new devices for MFA, which they managed to authenticate successfully to Cisco’s network. The attacker used this access to ultimately obtain administrative privileges, which allowed them to log in to multiple systems. However, this caught the Cisco security team’s (CSIRT) attention, who consequently removed them from the network.
Attacker Stole Information, Dropped Malicious Payloads
Cisco said the attacker tried to steal information from its corporate network on a number of occasions. The malicious actors also dropped numerous malicious payloads, which the company is still investigating. Cisco confirmed the first payload was a C2 (Command and Control) server, which was set up specifically for this attack. “We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account and employee authentication data from active directory,” the company said. “The Box data obtained by the adversary in this case was not sensitive.” The threat actors sent an email to Bleeping Computer last week, containing a directory listing of the stolen files. The actor said they stole approximately 3,100 files adding up to 2.75GB. Much of the stolen files contain non-disclosure agreements, data dumps, and engineering drawings.
Cisco’s Recommendations
In response to the incident, Cisco implemented a company-wide password reset. It added that it has previously observed similar activity and TTPs since 2021, which allowed it to slow down the attacker’s progress. Cisco also stressed the importance of educating employees about the dangers of social engineering. Such attacks are rising in frequency and are terrorizing organizations. “User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information,” Cisco said. Similarly, companies should educate employees on how they should respond to MFA attacks such as a flood of push notifications. Employees should immediately contact their company’s network security personnel to report such events.