Breach Notification , Cybercrime , Fraud Management & Cybercrime

Cisco Hacked: Firm Traces Intrusion to Initial Access Broker

But Cisco Dismisses Claim by Yanluowang Group That It Fell Victim to Ransomware
Cisco Hacked: Firm Traces Intrusion to Initial Access Broker
Photo: Cisco

Technology giant Cisco says it fell victim to a successful hack attack and data breach in May. But it says that the intrusion didn't appear to result in the theft of any sensitive information or have any discernable business impact.

See Also: Gartner Guide for Digital Forensics and Incident Response

The attack came to light Wednesday, when the Yanluowang ransomware group published a list of supposedly exfiltrated files, as spotted by security researchers, including @Gi7w0rm. The group claimed it not only successfully hacked Cisco but also unleashed ransomware.

Following Yanluowang's claim, Cisco on Wednesday denied being affected by ransomware but confirmed the intrusion, saying it hadn't done so publicly yet because it "has been actively collecting information about the bad actor to help protect the security community."

Cisco says it discovered on May 24 "a security incident targeting Cisco corporate IT infrastructure" and immediately responded and contained it. The company says it has taken further steps to harden its IT infrastructure to block the initial attack vectors used.

"No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco's network since discovering the incident," the company says. "Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations."

Ransom note received by Cisco executives via email

Cisco's security incident response team - CSIRT - and Talos security group are continuing to probe the attack. The company says it has shared with law enforcement and other companies information about the attack, including the attacker's tactics, techniques and procedures, as well as indicators of compromise.

Cisco's Talos security team, in a Wednesday blog post, detailed those TTPs and IOCs, including how the attacker broke in and gained access via a Cisco VPN connection.

"During the investigation, it was determined that a Cisco employee's credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim's browser were being synchronized," Cisco Talos says.

"CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc.," Talos says.

Social Engineering Used to Trick Employee

Cisco Talos says the attacker used relatively sophisticated and persistent tactics.

"The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations, attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker," it says. "The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user."

From there, the security researchers report, the attacker used a variety of techniques to try and escalate their access and gain persistent access to the network as well as remove traces of their intrusion to better fool digital forensic investigators.

"The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms," Cisco Talos says (see: Block This Now: Cobalt Strike and Other Red-Team Tools).

The researchers say the attacker gaining administrative privileges in an internal Citrix environment was what triggered security alerts, prompting CSIRT to investigate and leading to its discovery and remediation of the intrusion.

"Throughout the attack, we observed attempts to exfiltrate information from the environment," including via remote desktop protocol and Citrix, it says. "We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee's account and employee authentication data from active directory. The Box data obtained by the adversary in this case was not sensitive."

Cisco Talos says it is continuing to analyze the attack and the malware payloads dropped by the attacker onto compromised systems, including backdoor software designed to communicate with a command-and-control server.

Brokers Likely Sold Access

The attacker who first penetrated Cisco's network appears to have sold this access to one or more cybercrime groups, including one or more attackers wielding Yanluowang ransomware.

"We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators," Cisco Talos says.

"We have also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations," it says.

The UNC2447 cybercrime gang has been tied in part to attacks that use HelloKitty ransomware as well as FiveHands ransomware, developed by the FiveHands - aka Canthroid - group. The group practices double extortion, meaning it often steals or claims to have stolen data from victims and threatens to release this data if it does not receive a ransom.

Some suspected members of the Lapsus$ data extortion group were arrested earlier this year, but the group's attacks appear to have continued (see: Okta's Data Breach Debacle After Lapsus$ Attack: Postmortem).

Yanluowang ransomware was first seen in the wild in August 2021, when Symantec reported that it was being used by an attacker to target U.S. financial services firms as well as "companies in the manufacturing, IT services, consultancy, and engineering sectors."

Symantec said at the time that "the attacker uses a number of tools, tactics, and procedures that were previously linked to Thieflock ransomware attacks, suggesting that they may have been a Thieflock affiliate who shifted allegiances to the new Yanluowang ransomware family."

Initial Access Brokers Thrive

The attack on Cisco is a reminder that initial access brokers remain a cornerstone of the cybercrime ecosystem. These brokers, who may be highly skilled at network intrusion or purchase tools from others, obtain access to sites and then sell this access as a service to others.

Some brokers list available accesses on darknet sites and markets, with a la carte pricing tied to the size and perceived value of the victim. Other brokers, however, have developed exclusive or "right of first refusal" relationships with ransomware groups, sometimes partnering in exchange for a percentage of any ransom that gets paid by the victim (see: 10 Initial Access Broker Trends: Cybercrime Service Evolves).

The attacker's successful bypass of Cisco's MFA defenses is also a reminder that social engineering can be used to defeat these technical controls. A separate attack campaign that came to light this week against Twilio and Cloudflare, for example, also featured attackers attempting to spoof their way past MFA defenses. Twilio said the attack against it was successful, while Cloudflare says it got blocked - even though three employees there were also successfully tricked - thanks to its use of hardware security keys.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.