Today, Cisco confirmed that its corporate network has been breached by the Yanluowang ransomware hacker group in late May. The company revealed that hackers have compromised employees' accounts which further led to access to the corporate network after the attacker conducted a series of sophisticated voice phishing attacks to bypass the multi-factor authentication (MFA).
In the blog post, Cisco wrote -
"On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate." "During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized."
"The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user." - Cisco further added
Hackers claim to steal data from Cisco
The news of the beach came up after the Yanluowang ransomware group claimed Cisco Systems as its latest victim. In addition to the announcement declaring Cisco as the group’s latest ransomware victim, the Yanluowang group also published text files allegedly obtained in the cyber attack that the group is claiming to have obtained from Cisco.
The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.
Cisco confirmed that in this cyber attack the only successful data exfiltration included the contents of a Box folder that was associated with a compromised employee’s account. The data obtained by the adversary, in this case, was not sensitive.
After being successfully removed from the environment, the adversary also repeatedly attempted to establish email communications with executive members of Cisco but did not make any specific threats or extortion demands. In one email, the attacker also included a screenshot showing the directory listing of the Box data that was previously exfiltrated as described earlier.
No Ransomware Deployed
Cisco also said that, even though the Yanluowang gang is known for encrypting their victims' files, it found no evidence of ransomware payloads during the attack.
"While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments."
After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful. Cisco assesses with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.