How Cisco Get Hacked With 2.8GB From Corporate Network, Experts Weigh In

Cisco has admitted that its corporate network was compromised and the company suffered a data exfiltration due to a compromised employee’s account.

Subscribe
Notify of
guest
5 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Louise Ferrett
Louise Ferrett , Threat Intelligence Analyst
InfoSec Expert
August 15, 2022 3:26 pm

On the sensitivity of the stolen data:

“Whether this incident was overstated by Yanluowang depends on perspective. From analyzing the directory leaked and Cisco’s statement, it seems that the data exfiltrated – both in size and content – is not of great importance or sensitivity.

“However, as was the case with a number of attacks by actors such as LAPSUS$, sometimes the act of compromising a corporate network itself can be enough for threat actors to gain mainstream publicity and underground ‘cred’, which can lead to further resources and collaboration in the future that could be more materially damaging.

“This attack can certainly be viewed as part of a broader trend of ransomware threat actors diversifying away from pure encrypt-and-extort, with Yanluowang previously claiming to have breached Walmart despite the company stating there was no ransomware deployed on its systems.”

On Yanluowang’s connection to LAPSUS$:

“The Tactics, Techniques and Procedures (TTPs) identified by Cisco led them to draw a link between an initial access broker (IAB) associated with LAPSUS$ and this attack by Yanluowang.

“It’s not uncommon for IABs to act as contractors for different threat actors, with many auctioning their access to corporate networks on popular dark web hacking forums. Monitoring these forums can provide advance warning that an attack is likely to occur against a company of a particular size and in a particular sector and geographical location.”

One how the attack was executed:

“The initial access vector in this case was an employee’s personal Google account, with password syncing enabled and their Cisco credentials stored in the Google Chrome browser, which allowed them to be accessed via the personal Google account.

“It’s currently not known how the personal account was compromised, though methods could range from obtaining leaked credentials in a database dump (which would still require further reconnaissance to ascertain the victim’s professional position) to buying logs from stealer malware inadvertently downloaded by the victim.

“This incident could support the case for broadening the criteria for credentials monitoring, as well as highlighting the importance of cyber hygiene and disabling syncing and store-in-browser features for privileged credentials.”

On emerging techniques for bypassing MFA

“Cisco’s statement mentions that the threat actor was able to bypass multi-factor-authentication (MFA) with a combination of voice-phishing – a form of social engineering – and MFA fatigue – arguably a form of brute forcing. These are both techniques that we have observed being discussed in dark web forums recently, especially as MFA solutions become more widely implemented as a way to prevent account takeover. This incident shows just how quickly threat actors adapt to and overcome obstacles to cybercrime, and reinforces the necessity for businesses to have visibility of the dark web to gain insight into emerging cybercriminal techniques and to educate their employees on what to look out for.

Last edited 3 months ago by Louise Ferrett
Chris Hauk
Chris Hauk , Consumer Privacy Champion
InfoSec Expert
August 15, 2022 3:23 pm

Well, this has to be more than a little embarrassing for Cisco’s “threat-intelligence” business. However, this attack underscores how any company or organization can be an attractive target for the bad actors of the world. Organizations need to stay on things by hardening their networks, keeping all software updated, and educating employees and executives as to the perils of hack attempts like this.

Last edited 3 months ago by Chris Hauk
Paul Bischoff
Paul Bischoff , Privacy Advocate
InfoSec Expert
August 15, 2022 3:22 pm

This was a sophisticated attack on a high-profile target by experienced hackers that required a lot of persistence and coordination to pull off. It was a multi-stage attack that required compromising a user’s credentials, phishing other staff for MFA codes, traversing CISCO’s corporate network, taking steps to maintain access and hide traces, and exfiltrating data. Cisco says the attack was most likely carried out by an initial access broker, or IAB. Although some data was exfiltrated, an IAB’s main role is to sell other hackers access to private networks, who might later carry out further attacks such as data theft, supply chain attacks on Cisco software, and ransomware.

Last edited 3 months ago by Paul Bischoff
Erfan Shadabi
Erfan Shadabi , Cybersecurity Expert
InfoSec Expert
August 15, 2022 3:22 pm

In ransomware attacks like the one, we look for the slivers of good news, no sensitive data was compromised. But this incident underscores a harsh reality that every organization must confront – a ransomware attack isn’t just a remote possibility but rather a likely imminent event. Organizations need to prepare for this eventuality with robust recovery capabilities combined with proactive data-centric protection. The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t extract sensitive data. Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data.

Last edited 3 months ago by Erfan Shadabi
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
August 11, 2022 12:19 pm

Cybersecurity and technology vendors are now massively targeted by sophisticated threat actors for different interplayed reasons. First, vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply-chain attacks. Second, vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counterintelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids. Third, some vendors are a highly attractive target because they possess the most recent DFIR tools and techniques used to detect intrusions and uncover cybercriminals, whilst some other vendors may have exploits for 0day vulnerabilities or even source code of sophisticated spyware, which can later be used against new victims or sold on the Dark Web. That being said, we shall prepare for a continually growing volume and sophistication of cyberattacks targeting technology companies, namely security vendors.

Last edited 3 months ago by Ilia Kolochenko
5
0
Would love your thoughts, please comment.x
()
x