NEW DELHI: Networking giant Cisco has suffered a major data breach by hackers, who claim to have exfiltrated 2.8 GB of its information, which has been partially published by threat actors with links to Russian nexus.
Cisco Security Incident Response (CSIRT) team and Cisco’s intelligence group Talos have also confirmed the data breach, which was first highlighted as a potential compromise on May 24 this year.
The hackers — Yanluowang ransomware group – have published a partial list of files it says were stolen from Cisco.
How It Happened?
Talos said that during the investigation by CSIRT, it was determined that a Cisco employee’s credentials were compromised after an “attacker gained control of a personal Google account” where credentials saved in the victim’s browser were being synchronized.
The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker.
The “attacker ultimately succeeded” in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
Cisco’s Response To The Hack
CSIRT and Talos are responding to the event and have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.
After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
Who Is Actually Behind The Attack?
Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, Cisco said it assesses with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.
IABs typically attempt to obtain privileged access to corporate network environments and then monetize that access by selling it to other threat actors who can then leverage it for a variety of purposes.
Cisco said it has also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations.
Russia Links and ‘Double Extortion’ Technique
UNC2447 is a financially-motivated threat actor with a nexus to Russia that has been previously observed conducting ransomware attacks and leveraging a technique known as “double extortion,” in which data is exfiltrated prior to ransomware deployment in an attempt to coerce victims into paying ransom demands.
Prior reporting indicates that UNC2447 has been observed operating a variety of ransomware, including FIVEHANDS, HELLOKITTY, and more, according to Cisco Talos.
No Ransomware Deployed
Notable, Cisco said that there was no ransomware deployment during the attack that it could find.
“Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations,” CSIRT stated.
“On August 10 the bad actors published a list of files from this security incident to the dark web,” it said.
Cisco’s FAQs Related To Data Hack
Q: Is customer/partner or other sensitive data exposed as a result of this issue?
A: The incident was contained to the corporate IT environment and Cisco did not identify any impact to any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations.
Q: What remediation actions have been taken?
A: Cisco has extensive IT monitoring and remediation capabilities. We have used these capabilities to implement additional protections, block any unauthorized access attempts, and mitigate the security threat. We are also putting additional emphasis on employee cybersecurity hygiene and best practices to avoid similar instances in the future.
Q: Is customer/partner action required?
A: No customer/partner action is required for Cisco products or services. Cisco has updated its security products with intelligence gained from observing the bad actor’s techniques, shared Indicators of Compromise (IOCs) with other parties, reached out to law enforcement and other partners, and is sharing further technical details via a Talos blog to help cyber defenders learn from our observations.
Q: Is there an impact to Cisco’s business?
A: Cisco did not identify any impact to its business as a result of this incident.
Q: Why is Cisco disclosing this security incident now?
A: On August 10 the bad actors published a list of files from this security incident to the dark web. Prior to this disclosure, Cisco has been actively collecting information about the bad actor to help protect the security community.
Follow The420.in on