U.S. networking giant Cisco Systems has been hacked, the company confirmed on Wednesday, after Yanluowang ransomware operators claimed the attack on their leak site.
Without any further information, the group released a list of 8110 lines,
showing folder names and possibly exfiltrated files.
The word #Cisco only appears 94 times.
More information in the screenshots below: pic.twitter.com/2c5shCSbF9
— Gitworm (@Gi7w0rm) August 10, 2022
But according to Cisco’s Talos threat intelligence team, the breach resulted in the exfiltraton of inconsequential data and the booting of the attackers from Cisco’s systems and corporate network. They repeatedly try to get back in, the analysts said, but despite using various advanced techniques weren’t able to repeat their initial feat.
According the Talos analysts, the attackers started by gaining control of a Cisco employee’s personal Google account.
“The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing“) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving,” they explained.
“Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN.”
The attackers then:
- Escalated their privileges to “admin”, allowing them to log in to various systems (and this is when Cisco Security’s IT team noticed something was amiss)
- Dropped remote access and offensive security tools
- Added backdoor accounts and persistence mechanisms
“Following initial access to the environment, the threat actor conducted a variety of activities for the purposes of maintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the environment,” the team explained.
“[The attackers managed to compromise] a series of Citrix servers and eventually obtained privileged access to domain controllers.”
They went after credential databases, registry information and memory that contained credentials, deleted accounts they created and cleared system logs to cover their tracks, made changes to host-based firewall configurations to enable RDP access to systems, and attempted to exfiltrate information.
As it turned out, they only managed to steal the contents of a Box folder that was associated with a compromised employee’s account and employee authentication data from Active Directory.
“The incident was contained to the corporate IT environment and Cisco did not identify any impact to any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations,” Cisco claims.
The attackers did not manage to deploy ransomware before getting booted, but they nevertheless tried to extort money from the company in return of not leaking the stolen data.
Lessons can be learned
The company first noticed the attack in progress on May 24, 2022, but did not share for how long it went on before that.
The Cisco Talos team detailed the steps the attackers took to gain access and move in Cisco’s enterprise network – as well as their attempts to get back in once they were removed from it – and shared indicators of compromise, to help other enterprise defenders and incident responders.
“Based on the artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$,” the analysts said – and they were right.
“We have also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations.”
UPDATE (September 12, 2022, 09:00 a.m. ET):
“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed,” Cisco said on Sunday.
“Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”