Cisco has confirmed that its security was successfully breached by Yanluowang Ransomware Gang in May 2022.
Networking giant Cisco Systems is the latest victim of hacking. The company confirmed that attackers used a compromised Google account of one of its employees after the Yanluowang ransomware gang added a list of files obtained from the company on their data leak site.
Hacking Details
On Wednesday, August 10th, 2022, Cisco Systems confirmed experiencing a cyberattack that took place on 24 May 2022. Sharing their findings, the networking equipment provider stated that the attackers obtained details of an employee’s private Google account, which contained passwords synced with Cisco’s web browser.
The attackers obtained initial access to its VPN after successfully compromising the Google account. The credentials were synced through the Chrome browser, where the targeted employee had also stored their Cisco credentials.
Consequently, attackers could synchronize their Google accounts using this information. On August 10th, the Yanluowang ransomware gang indirectly took responsibility for the breach by publishing files stolen in the data leak.
Investigation of the “Potential Compromise”
Cisco Talos launched an investigation into the May hack and referred to it as a “potential compromise” in its detailed report published Wednesday. Cisco Talos threat research team conducted the investigation.
Forensic details confirmed the involvement of the Yanluowang threat group, which has ties with Lapsus$ and UNC2447 cybercrime groups. For your information, Lapsus$ was behind some of the most high-profile data breaches in recent months including Microsoft, Okta, T-Mobile, Samsung, and Ubisoft.
As for the Cisco breach, the researchers concluded that the attackers couldn’t deploy ransomware successfully but were indeed successful in penetrating its network and planting an array of hacking tools. The attacks, according to researchers, also scanned the company’s internal network, a common practice adopted before deploying ransomware.
How Attackers Bypassed MFA?
Cisco said that hackers used various techniques to bypass the multifactor authentication feature linked to the VPN client. This includes voice phishing (aka vishing) and MFA fatigue. In MFA fatigue, attackers send push requests in high volume to their targeted device so the user has no choice but to accept to stop the incoming notifications.
Cisco Talos threat researchers identified that Multi-factor Authentication (MFA) spoofing attacks were launched against their employees, which were eventually successful, and they could run the VPN software. After obtaining initial access, they enrolled various new devices for MFA and authenticated them successfully to the company’s VPN.
Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.
Cisco Talos threat researchers
The attacker then accelerated to administrative privileges. Afterward, they could log in to multiple systems. This raised suspicion, and Cisco Security Incident Response Team intervened to mitigate the threat.
Further digging revealed that the ransomware gang used remote access and offensive security tools in the attack. These tools included the following:
- TeamViewer
- LogMein (Now GoTo)
Cisco then implemented password reset across the company networks and disclosed their findings in the report. The company has created two Clam AntiVirus signatures to prevent additional compromise.