Cisco admits corporate network compromised by gang with links to Lapsus$
Voice-phished their way in, but Switchzilla claims no damage done
Cisco disclosed on Wednesday that its corporate network was accessed by cyber-criminals in May after an employee's personal Google account was compromised – an act a ransomware gang named "Yanluowang" has now claimed as its work.
The world's largest networking vendor disclosed the months-old compromise after a list of files accessed during the incident appeared on the dark web.
A Cisco statement asserts the company "did not identify any impact to [its] business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations."
Cisco Security Incident Response (CSIRT) and the company's cybersecurity intelligent group Cisco Talos specified the only successful data exfiltration was from an account with cloud storage locker Box that was associated with a compromised employee's account.
But the attacker did manage to spend some time inside Cisco's IT.
According to Talos's post, the attacker obtained access to Cisco networks, enrolled a series of devices for MFA and authenticated successfully to the Cisco VPN.
The attacker "then escalated to administrative privileges, allowing them to login to multiple systems." That action alerted the Cisco Security Incident Response Team (CSIRT), which swooped in with "extensive IT monitoring and remediation capabilities" to "implement additional protections, block any unauthorized access attempts, and mitigate the security threat." Efforts were also made to improve "employee cybersecurity hygiene."
The infiltration occurred after attackers stole Cisco credentials from an employee by gaining control of a personal Google account.
The attacker then employed voice-phishing techniques that saw operatives call using various accents and posing as various trusted organizations, seeking to help the Cisco staffer, until he or she cracked and accepted a bogus MFA notification that gave the hackers access to the VPN.
Once inside, they spread laterally to Citrix servers – eventually obtaining privileged access to domain controllers. As domain admin, they operated tools like ntdsutil, adfind and secretsdump to exfiltrate data and install a backdoor and other payloads.
- Ex-CISA chief Krebs calls for US to get serious on security
- Twilio customer data exposed after its staffers got phished
- Cisco compresses Catalyst switches to compact size
- Kaspersky cracks Yanluowang ransomware, offers free decryptor
Cisco was able to revoke the attacker's access, but that did not discourage them. They tried to re-establish entry multiple times, preying on employees' weak password rotation hygiene. The attacker then attempted to establish email communication with Cisco execs, showing off directory listings of their loot – an alleged 2.75GB of data containing around 3,700 files – and suggesting Cisco could pay to avoid disclosure.
"Based upon artefacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$," said Cisco, adding activity was also linked to the Yanluowang ransomware gang.
Yanluowang has claimed credit for the breach.
The Yanluowang ransomware, named after a Chinese deity, is typically used against financial institutions, but has been known to infect companies in manufacturing, IT services, consultancy and engineering.
Interestingly, no ransomware appears to have been deployed in the attack on Cisco.
"While we did not observe ransomware deployment in this attack, the TTPs used were consistent with 'pre-ransomware activity' – activity commonly observed leading up to the deployment of ransomware in victim environments," Cisco stated.
The company also revealed that its reason for disclosing the incident now – more than three months after the compromise – was that it had been "actively collecting information about the bad actor to help protect the security community." But once files from the incident were posted to the dark web, Cisco felt it had to reveal the attack. ®