Talos Intelligence Group confirmed that Cisco had been hacked by the Yanluowang ransomware group. The confirmation in a Talos blog posting, stated Cisco first learned of the compromise on May 24. Excerpts follow:
- On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
- … it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
- The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
- After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
As demonstrated by Cisco’s latest breach, nothing extraordinary or highly complex was done to accomplish unauthorized access. In fact, the techniques used were the standard schemes of most fraudsters calling as a trusted party (with highly unconvincing accents).
Instead of launching a full-scale complex “hacking” production, some cybercriminals are opting to act more like scammers as time goes on. This is because they know that the simple stuff -tactics that target individual victims, such as a single employee- are more likely to go unnoticed and unreported due to every-day human absent mindedness. The Cisco employee who fell victim to this vishing attack received numerous suspicious calls from these “trusted” sources, but like most people with a busy schedule and other preoccupations, they probably did not think anything of it.
Cisco is a highly respected organization, but even they fall victim to human error. In response to this breach, Cisco promotes that spreading more security awareness and providing higher-level employee security training is the solution to preventing further social engineering schemes. In addition to this, it may be beneficial to research why human beings — in the constructs of their psychology and brain development — are so likely to make mistakes in the realm of trust. As much as we do not like to admit it, the fact is that human beings are all about efficiency and convenience. When a problem comes up, we value the ability to solve it fast and without a hassle. Cybercriminals are well aware of this psychological behavior, and therefore, they seek out opportunities to exploit our liberal problem-response mechanisms.
The employee who approved the MFA push request in order to stop the annoying notification flood was merely giving in to natural instinct, and I do not believe anyone else would have done differently. In regards to using technology, most users give little thought to performing any menial action, which is why the act of flooding the victim’s phone with irritating MFA requests is a sure way to achieve a compromise. There is no surprise that social engineering is how this breach was able to occur, but overall, no one can truly prevent these instances from occurring again. Human beings will always be prone to error, but the important factor is to focus on the healing and aftermath of making such mistakes.
As someone who has been scammed before and who has worked with other victims of social engineering attacks, the guilt that a victim feels is usually enough to cause them to never want to be careless again while using technology. If Cisco is so intent on boosting security awareness training for their employees, it may be helpful for them to learn about their employees’ specific psychological behaviors in response to the security protocols already in place. While this may sound like a backwards perspective, most security awareness training programs are not catered to the individual but rather to a mass audience of employees. Organizations may think this is satisfactory for training a large batch of employees, but in the end, people still end up acting without caution. Therefore, it is recommended that adjustments be made to security protocols in order to accommodate individual behaviors, and more research be done to develop each person’s security awareness instincts.
Compromised credentials and phishing – these continue to be the favored methods attackers use to breach corporate networks, and it’s not surprising that Cisco was breached in this manner. It can happen to any company.
What is surprising is the ease with which attackers were able to move laterally inside Cisco’s network after initial access. Attackers escalated privileges, compromised Citrix servers, dumped LSASS, took over domain controllers, and dumped NTDS – essentially credentials for every single Cisco employee. With almost 80,000 employees worldwide, a mandatory password reset isn’t enough to protect from future attacks. Attackers will be able to use and re-use those credentials for a long time.
Organizations need to have better security controls to detect and stop attackers after initial access. Better logging, fine-grained network segmentation, effective endpoint detection and response (EDR), and regular internal pentests are all common-sense practices organizations can adopt to protect their environments.
Even when protected by an army of 4 million IT Security Pros with a combined IT defense spend in excess of $150 billion, we are still seeing devastating hacks that exploit the most basic element of security – user authentication. The industry needs to wake up to the fact that Push Notification is not the panacea it was sold as.