Cisco confirmed the May attack and that the data leaked by the Yanluowang ransomware group was stolen from its systems.
In August, Cisco disclosed a security breach, the Yanluowang ransomware gang breached its corporate network in late May and stole internal data.
The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised a Cisco employee’s credentials after they gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
Once the credentials were obtained, the attackers launched voice phishing attacks in an attempt to trick the victim into accepting the MFA push notification initiated by the attacker.
Upon achieving an MFA push acceptance, the attacker had access to the VPN in the context of the targeted user. The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
According to Talos, once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. Then the threat actors escalated to administrative privileges before logging into multiple systems. Then threat actors were able to drop multiple tools in the target network, including remote access tools like LogMeIn and TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket.
Over the weekend, Cisco confirmed that the data recently leaked by the Yanluowang ransomware gang have been authentic and were stolen from its network during the May intrusion. However, the company pointed out that the security breach has no impact on the business because the stolen data does not include sensitive information.
“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed.” reads an update published by Cisco on September September 11, 2022. “Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”
According to BleepinComputer, which has contacted the leader of the ransomware gang, the Yanluowang group claims to have stolen 55GB of files which included classified documents, technical schematics, and source code.
Cisco continues to deny that the threat actors had access to the source code of its products.
Recently, researchers from cybersecurity firm eSentire discovered that the attack infrastructure used in the Cisco hack was also used to attack a top Workforce Management corporation in April 2022.
The experts also speculate that the attack was orchestrated by a threat actor known as mx1r, who is an alleged member of the Evil Corp affiliate cluster dubbed UNC2165.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Cisco)