Cisco has admitted that its corporate network was compromised and the company suffered a data exfiltration due to a compromised employee’s account.
Great details on how Cisco got hacked. 1- Personal Google account of an employee gets compromised – it has password synced enabled. 2- Got all the employee's passwords, including their Cisco VPN credentials.3- Phishing to accept 2FA4- They are inhttps://t.co/M5kVfyepKH— Daniel Cid (@danielcid) August 11, 2022
Great details on how Cisco got hacked. 1- Personal Google account of an employee gets compromised – it has password synced enabled. 2- Got all the employee's passwords, including their Cisco VPN credentials.3- Phishing to accept 2FA4- They are inhttps://t.co/M5kVfyepKH
On the sensitivity of the stolen data:
“Whether this incident was overstated by Yanluowang depends on perspective. From analyzing the directory leaked and Cisco’s statement, it seems that the data exfiltrated – both in size and content – is not of great importance or sensitivity.
“However, as was the case with a number of attacks by actors such as LAPSUS$, sometimes the act of compromising a corporate network itself can be enough for threat actors to gain mainstream publicity and underground ‘cred’, which can lead to further resources and collaboration in the future that could be more materially damaging.
“This attack can certainly be viewed as part of a broader trend of ransomware threat actors diversifying away from pure encrypt-and-extort, with Yanluowang previously claiming to have breached Walmart despite the company stating there was no ransomware deployed on its systems.”
On Yanluowang’s connection to LAPSUS$:
“The Tactics, Techniques and Procedures (TTPs) identified by Cisco led them to draw a link between an initial access broker (IAB) associated with LAPSUS$ and this attack by Yanluowang.
“It’s not uncommon for IABs to act as contractors for different threat actors, with many auctioning their access to corporate networks on popular dark web hacking forums. Monitoring these forums can provide advance warning that an attack is likely to occur against a company of a particular size and in a particular sector and geographical location.”
One how the attack was executed:
“The initial access vector in this case was an employee’s personal Google account, with password syncing enabled and their Cisco credentials stored in the Google Chrome browser, which allowed them to be accessed via the personal Google account.
“It’s currently not known how the personal account was compromised, though methods could range from obtaining leaked credentials in a database dump (which would still require further reconnaissance to ascertain the victim’s professional position) to buying logs from stealer malware inadvertently downloaded by the victim.
“This incident could support the case for broadening the criteria for credentials monitoring, as well as highlighting the importance of cyber hygiene and disabling syncing and store-in-browser features for privileged credentials.”
On emerging techniques for bypassing MFA
“Cisco’s statement mentions that the threat actor was able to bypass multi-factor-authentication (MFA) with a combination of voice-phishing – a form of social engineering – and MFA fatigue – arguably a form of brute forcing. These are both techniques that we have observed being discussed in dark web forums recently, especially as MFA solutions become more widely implemented as a way to prevent account takeover. This incident shows just how quickly threat actors adapt to and overcome obstacles to cybercrime, and reinforces the necessity for businesses to have visibility of the dark web to gain insight into emerging cybercriminal techniques and to educate their employees on what to look out for.
Well, this has to be more than a little embarrassing for Cisco’s “threat-intelligence” business. However, this attack underscores how any company or organization can be an attractive target for the bad actors of the world. Organizations need to stay on things by hardening their networks, keeping all software updated, and educating employees and executives as to the perils of hack attempts like this.
This was a sophisticated attack on a high-profile target by experienced hackers that required a lot of persistence and coordination to pull off. It was a multi-stage attack that required compromising a user’s credentials, phishing other staff for MFA codes, traversing CISCO’s corporate network, taking steps to maintain access and hide traces, and exfiltrating data. Cisco says the attack was most likely carried out by an initial access broker, or IAB. Although some data was exfiltrated, an IAB’s main role is to sell other hackers access to private networks, who might later carry out further attacks such as data theft, supply chain attacks on Cisco software, and ransomware.
In ransomware attacks like the one, we look for the slivers of good news, no sensitive data was compromised. But this incident underscores a harsh reality that every organization must confront – a ransomware attack isn’t just a remote possibility but rather a likely imminent event. Organizations need to prepare for this eventuality with robust recovery capabilities combined with proactive data-centric protection. The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t extract sensitive data. Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data.
Cybersecurity and technology vendors are now massively targeted by sophisticated threat actors for different interplayed reasons. First, vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply-chain attacks. Second, vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counterintelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids. Third, some vendors are a highly attractive target because they possess the most recent DFIR tools and techniques used to detect intrusions and uncover cybercriminals, whilst some other vendors may have exploits for 0day vulnerabilities or even source code of sophisticated spyware, which can later be used against new victims or sold on the Dark Web. That being said, we shall prepare for a continually growing volume and sophistication of cyberattacks targeting technology companies, namely security vendors.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics