Cisco suffered cyberattack by Lapsus$ and Yanluowang hackers
Only non-sensitive data was stolen, Cisco says
Cisco said on Wednesday that it had been the target of a cyberattack in May, but claimed the attackers were unsuccessful in their attempts to steal sensitive information or interfere with business operations.
"On May 24, 2022, Cisco identified a security incident targeting Cisco corporate IT infrastructure, and we took immediate action to contain and eradicate the bad actors," the company said in an online post.
After learning of the breach, it has effectively blocked attempts to access its network, Cisco said.
An investigation into the security incident revealed that a Cisco employee's credentials had been compromised after an attacker took over a personal Google account where credentials were stored in the victim's browser.
The attacker used a series of sophisticated voice phishing attempts to impersonate numerous reputable companies in an effort to persuade the victim to accept push notifications for multifactor authentication (MFA) that the attacker had started.
In the end, the attacker was successful, which gave them access to the VPN in the context of the targeted user.
After gaining a foothold on the Cisco's corporate network, the threat actors expanded laterally to Citrix servers and domain controllers. They entered the Citrix environment, compromised a number of Citrix servers, and finally gained privileged access to domain controllers.
After taking control of the domain, they deployed a number of payloads to infected devices and utilised enumeration tools to collect further data.
Cisco eventually detected the attackers and evicted them from its environment, but they continued trying to regain entry over the next weeks.
They also made repeated attempts to contact the organisation's executives through email, but did not make any explicit requests or extortion threats.
One of the emails included a snapshot of the directory listing for previously exfiltrated Box data. BleepingComputer says executives also received a directory listing of the data from the threat actors that was allegedly taken during the attack and claimed to have stolen approximately 3,100 files, totalling 2.75 GB.
On August 10, the extortionists revealed the Cisco breach on their data leak website, posting a list of the files they claim to have stolen from Cisco systems.
However, Cisco says the data stolen was non-sensitive information from a Box account linked to a compromised employee.
According to Cisco, the attack did not seem to include ransomware payloads. Furthermore, the company said there was no evidence that this event had any impact its business, including products or services, intellectual property, sensitive customer or employee data, or supply chain operations.
Cisco said it had moderate to high confidence that the initial attack was carried out by an actor that has been previously identified as an initial access broker (IAB) with links to the Lapsus$ threat group, Yanluowang ransomware operators and the UNC2447 gang.
In addition to a number of other responses to the attacks, the company said it had contacted law enforcement authorities and was looking at its employee cyber training .
"Given the actor's demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques," Cisco said.
"Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones."