Hacker With Ties to Lapsus$ Stole Cisco Employee’s Credentials, Accessed Cisco VPN
Cisco said the threat actors could successfully exfiltrate data only once when non-sensitive data was stolen from a Box folder associated with a compromised employee’s account.
On Wednesday, Cisco acknowledged that it had been a victim of an attack on May 24, 2022, by an adversary connected to UNC2447, the Lapsus$ extortion ring, and the Yanluowang ransomware gang. The company claimed that hackers gained access to the network using an employee’s email account and could only access non-sensitive data.
The networking giant made the disclosure two months after the attack, only when the Yanluowang ransomware group added Cisco to its leak site this week. Besides, the malicious actor claimed via email sent to Cisco last week that they had gained access to 3,100 files totaling 2.75 gigabytes of data, including non-disclosure agreements, data dumps, and engineering drawings.
Yanluowang Ransomware Gang Email to Cisco | Source: Cisco
Cisco Security Incident Response Team (CSIRT) clarified, “Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations.”
Cisco’s threat intelligence arm Cisco Talos said that the attacker’s initial access happened through a compromised personal account of an employee that was synced with the browser, which in turn contained the credentials to the Cisco account.
Thereafter, the attacker used vishing or voice phishing on the employee who, after a series of attempts, accepted the multi-factor authentication (MFA) push notifications being sent by the attacker.
The target employee with compromised credentials was basically subjected to MFA fatigue through a large volume of push requests. The intent is that the target user will accept, either accidentally or attempt to put an end to the repeated push notifications they are receiving.
See More: How to Stop the Advancement of Ransomware Attacks
After the user accepted the MFA request, it enabled the threat actor to access the Cisco VPN in the context of the targeted employee. The attacker then enrolled new devices for MFA and escalated to administrative privileges, which enabled them to log into several systems, thus alerting CSIRT in the process.
The Yanluowang ransomware gang fielded offensive cyberattack tools (or cybersecurity tools depending on whether you’re a black hat or white hat) such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, added their own backdoor accounts and persistence mechanisms, and multiple remote access tools such as LogMeIn and TeamViewer.
Throughout their time within the Cisco network, Cisco said the threat actors could successfully exfiltrate data only once when non-sensitive data was stolen from a Box folder associated with a compromised employee’s account and employee authentication data from the active directory.
“No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident,” CSIRT added. According to Avertium’s assessment, this is inconsistent with the Yanluowang ransomware gang, whose tools, tactics, and procedures (TTPs) include:
- Stopping all hypervisor virtual machines running on the compromised computer
- Ending processes listed in processes.txt, which includes SQL and backup solution Veeam
- Encrypting files on the compromised computer and appending each file with the .yanluowang extension
- Dropping a ransom note named README.txt on the compromised computer
However, CSIRT noted that “pre-ransomware activity” was underway when the company detected the intrusion.
Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, opined that the volume of cyberattacks against technology companies and security vendors would grow.
“Cybersecurity and technology vendors are now massively targeted by sophisticated threat actors for different interplayed reasons,” Kolochenko told Spiceworks. “First, vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply-chain attacks.”
“Second, vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counterintelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids.”
“Third, some vendors are a highly attractive target because they possess the most recent DFIR tools and techniques used to detect intrusions and uncover cybercriminals, whilst some other vendors may have exploits for 0day vulnerabilities or even source code of sophisticated spyware, which can later be used against new victims or sold on the Dark Web. That being said, we shall prepare for a continually growing volume and sophistication of cyberattacks targeting technology companies, namely security vendors,” Kolochenko concluded.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
MORE ON RANSOMWARE
