Cisco Admits ‘Security Incident’ After Breach Of Corporate Network

Tech giant Cisco has admitted a ‘corporate network security incident’, after the Yanluowang ransomware gang claimed to have stolen 2.8GBs of data.

According to the Cisco statement on the matter, the networking giant identified a security incident on 24 May targeting Cisco corporate IT infrastructure.

Cisco Security Incident Response (CSIRT), alongside Cisco Talos, took immediate action to “contain and eradicate the bad actors,” after a ransomware gang called “Yanluowang”, with ties to Lapsus$, claimed responsibility.

Cisco breach

“On May 24, 2022, Cisco identified a security incident targeting Cisco corporate IT infrastructure, and we took immediate action to contain and eradicate the bad actors,” it stated.

“In addition, we have taken steps to remediate the impact of the incident and further harden our IT environment. No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident.”

Cisco said that it did not identify any impact to its business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations.

But on August 10 the bad actors published a list of files from this security incident to the dark web.

“Every cybersecurity incident is an opportunity to learn, strengthen our resilience, and help the wider security community,” noted the networking firm.

“Cisco has updated its security products with intelligence gained from observing the bad actor’s techniques, shared Indicators of Compromise (IOCs) with other parties, reached out to law enforcement and other partners, and is sharing further technical details via a Talos blog to help cyber defenders learn from our observations.”

Compromised Google account

The Talos blog reveals that a “Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronised.”

It seems that the attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organisations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker.

The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user, said the Talos blog.

CSIRT and Talos have not apparently identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.

After the hacker gained access, they “conducted a variety of activities to maintain access, minimise forensic artifacts, and increase their level of access to systems within the environment.”

The hacker was removed but apparently repeatedly attempted to regain access in the weeks following the attack. All of those attempts were unsuccessful.

“We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operator.”

Prevention focus

Sam Linford, AVP EMEA channel at Deep Instinct noted this case showed why organisations need a prevention-first approach to cybersecurity.

“Cisco’s policies were crucial in mitigating the impacts of the Yanluowang ransomware attack,” said Linford. “Cisco were able to detect and evict the malicious actor from its environment, and whilst on this occasion only non-sensitive data was leaked onto the dark web, the next attack could potentially result in the leakage of sensitive data, which could be disastrous for business operations, employees and customers.”

Moreover, we don’t want the disclaimer of it only being non-sensitive data leaked to become the norm and for organisations to become apathetic to the longer-term risks posed,” said Linford.

“Once threat actors know that an organisation is susceptible to a breach then the risk of further attacks increases,” Linford added. “Cyber criminals are inspired by one another’s crimes, and others may challenge themselves to breach an organisation’s network and this time steal personal information.”

“Even though additional security measures will have been put in place, security teams will still be under immense pressure and stress knowing that they could be hit again, and if breached, it could end in chaos,” said Linford. “Therefore, organisations must start looking at new approaches to cybersecurity that stop cyberattacks before they have a chance to steal any data.”

“Endpoint Detection and Response (EDR), that work on a reactive and mitigation approach, are increasingly being evaded by the latest malware and techniques used by threat actors,” said Linford. “Whilst in this case, they were able to stop the attack before disaster, most other examples show the opposite.”

“Organisations should be looking to implement a preventive mindset when dealing with ransomware attacks,” Linford concluded. “We should not see success as, threat actors leaking non-sensitive data and allowing them to get away with their crimes. It’s worth taking a new approach to cybersecurity where organisations stop ransomware attacks before they breach the network, and end the crimes of ransomware groups once and for all.”