Cisco’s own network compromised by gang with Lapsus$ links • The Register
Cisco revealed on Wednesday that its corporate network was accessed by cybercriminals in May after an employee’s personal Google account was compromised – an act that a ransomware gang named “Yanluowang” has now claimed as its work. .
The world’s largest network provider revealed the months-old compromise after a list of files accessed during the incident appeared on the dark web.
A statement from Cisco says the company “has not identified any impact on [its] as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. »
Cisco Security Incident Response (CSIRT) and the company’s intelligent cybersecurity group, Cisco Talos, clarified that the only successful data exfiltration was from an account with a Box cloud storage locker associated with an employee’s account. compromise.
But the attacker managed to spend time in Cisco IT.
According to the message from Talos, the attacker gained access to Cisco networks, registered a series of devices for MFA, and successfully authenticated with Cisco VPN.
The attacker “then moved to administrative privileges, allowing him to log into multiple systems.” This action alerted Cisco’s Security Incident Response Team (CSIRT), which responded with “extensive IT monitoring and remediation capabilities” to “implement additional protections, block any unauthorized access attempts, and mitigate the security threat”. Efforts have also been made to improve “employee cybersecurity hygiene”.
The infiltration occurred after attackers stole an employee’s Cisco credentials by taking control of a personal Google account.
The attacker then used voice phishing techniques which saw agents call using various accents and impersonating various trusted organizations, seeking to help Cisco staff, until he snapped and accepted a fake MFA notification that gave hackers access to the VPN.
Once inside, they spread laterally to Citrix servers, eventually gaining privileged access to domain controllers. As a domain administrator, they used tools such as ntdsutil, adfind, and secretsdump to exfiltrate data and install a backdoor and other payloads.
Cisco was able to revoke the attacker’s access, but that didn’t deter him. They tried to restore access multiple times, tackling poor employee password rotation hygiene. The attacker then attempted to establish email communication with Cisco executives, posting directory listings of their loot – an alleged 2.75 GB of data containing approximately 3,700 files – and suggesting that Cisco could pay to avoid disclosure.
“Based on the artifacts obtained, the tactics, techniques, and procedures (TTPs) identified, the infrastructure used, and a thorough analysis of the backdoor used in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that was previously identified as an Initial Access Broker (IAB) with ties to both UNC2447 and Lapsus$,” Cisco said, adding that the activity was also linked to the ransomware gang. Yanluowang.
Yanluowang claimed the violation.
— CyberKnow (@Cyberknow20) August 10, 2022
Yanluowang ransomware, named after a Chinese deity, is typically used against financial institutions, but has been known to infect manufacturing, IT services, consulting, and engineering companies.
Interestingly, no ransomware appears to have been deployed in the attack on Cisco.
“Although we did not observe any ransomware deployment in this attack, the TTPs used were consistent with ‘pre-ransomware activity’ – commonly observed activity leading to the deployment of ransomware in victimized environments,” Cisco said.
The company also revealed that its reason for disclosing the incident now – more than three months after the compromise – was that it had “actively collected information on the bad actor to help protect the security community”. But once the incident files were posted on the dark web, Cisco felt it had to expose the attack. ®