Network giant Cisco suffers

Network giant Cisco suffers data extortion: VPN access stolen, 2.8GB of data leaked

·Cisco officially disclosed that the intranet was invaded by the Yan Luowang ransomware gang, and a small amount of non-sensitive data was leaked and announced the recovery of the attack process;

·The attacker stole an employee’s Google account, obtained the Cisco intranet VPN account through the account secret synchronized by the browser, and obtained the employee’s secondary verification code by using a complex voice phishing call, thereby entering the intranet to steal secrets;

·Malicious hackers claim to have stolen 2.75GB of data and about 3,100 files, many of which are non-disclosure agreements, data dumps, and engineering drawings.

Cisco confirmed yesterday that the “Yanluowang” ransomware gang breached its corporate network in late May, with attackers trying to release stolen files to demand a ransom.

Cisco claims that all the attackers stole was non-sensitive data in the Box folder associated with the compromised employee account.

A Cisco spokesperson confirmed that they made measures in data disaster recovery. “Cisco experienced an enterprise cybersecurity incident in late May 2022. We took immediate action to contain and clean up the malicious hacker.”

“Cisco is not aware of any impact on the company’s business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property or supply chain operations, from this incident.”

“On August 10th, malicious hackers posted a list of files stolen during this period to the dark web. We have taken additional steps to protect our systems and released technical details to help protect the wider security community.”

Read also: Elevate Comfort in Your Bedroom With a Room Humidifier

Hacking Cisco Networks Using Stolen Employee Credentials

The “Yan Luo” malicious team first hijacked Cisco employees’ personal Google accounts (containing credentials synced from a browser) and then used the stolen credentials to gain access to Cisco’s network.

The “Yan Luo” gang sent out numerous multi-factor authentication (MFA) push notifications, used fatigue tactics to overwhelm the target employees’ minds, and then launched a series of sophisticated voice phishing attacks masquerading as a trusted support organization.

Finally, the malicious hacker managed to induce the victim to accept one of the multi-factor authentication notifications and gain access to the VPN in combination with the target user’s contextual information.

After successfully gaining a foothold on Cisco’s corporate network, the “Yan Luo” gang began to move laterally to Citrix servers and domain controllers.

“The adversary entered the Citrix environment, compromised a series of Citrix servers, and eventually gained privileged access to the domain controller,” said Talos, Cisco’s security research team.

After gaining domain administrator status, they used domain enumeration tools such as ntdsutil, adfind, and secretsdump to gather more information and install various payloads, including backdoors, onto the infected system.

Ultimately, Cisco detected this malicious activity and expelled the malicious hacker from the environment. In the weeks that followed, the Yama gang continued to make multiple attempts to regain access.

The Talos team added, “After gaining initial access, malicious hackers have taken a variety of actions to maintain access, hoping to disrupt forensic trails as much as possible and increase their level of access to systems in the environment.”

“Malicious hackers were then successfully cleaned out of the Cisco environment, but they didn’t give up. They made repeated attempts to regain access in the weeks following the attack, but none of these attempts worked.”

Hackers claim to have stolen Cisco data

Last week, the group of malicious hackers emailed BleepingComputer a catalog of documents allegedly stolen from Cisco during the attack.

The malicious hackers claimed to have stolen a total of 2.75 GB of data, containing around 3,100 files. Many of these documents are non-disclosure agreements, data dumps and engineering drawings.

The hackers also showed us a redacted non-disclosure agreement (NDA) document obtained during the attack to prove the attack was successful, and “suggested” that the documents were stolen after compromising Cisco’s network.

Malicious hackers have published the Cisco breach on their own data breach website, along with the same directory of files that we had previously received.

Cisco Systems Was Not Deployed With Ransomware

Cisco stressed that while the Yama gang is known to encrypt and lock victims’ files, there was no evidence of a ransomware payload involved in the attack.

Yesterday (August 10), the Cisco Talos team published an article on the response process to the incident, saying, “Although we did not observe ransomware deployment in this attack, the tactics, techniques and procedures (TTP) used by malicious hackers Consistent with previous “ransomware attack pre-activities”. In other words, the other party still continued the entire preparation routine before the actual deployment of the ransomware. ”

“We have moderate to strong confidence that the attack was carried out by an Initial Access Broker (IAB). It has been previously confirmed that this agent is associated with the UNC2447 cybercriminal gang, the Lapsus$ malicious gang, and the “Yam King” ransomware gang. Connected. ”

The “Yam King” gang also said recently that it had successfully hacked into the system of the US retail giant Wal-Mart, but was explicitly denied by the victim. Walmart told us that it found no evidence of a ransomware attack.

Cyberpunks are always looking for new ways to gain access to people’s information. Although there was no danger this time, data leaking presented an opportunity. If there is critical data in the folder, Mandiant may be in a much worse situation today. As a result, data breaches have an impact on security suppliers, as well as normal enterprises and individuals. As a result, our services and employees must take proactive steps to protect data. Data may be supported for catastrophe recovery to prevent all risks.

Information security solutions are increasingly many and simple to implement. Consider the recommended digital maker backup as an example. Online devices may run several operating systems concurrently, preserving both physical and online resources. RHV Backup, VMware Backup, Xenserver Backup, Hyper-V Backup, and other online backup technologies are now widely utilized.

About Mark

Check Also

A Roadmap to Bitcoin’s Role in the Digital Economic Era

Bitcoin, a decentralized digital currency introduced in 2009, disrupted traditional concepts of currency exchange. Operating …

Leave a Reply

Your email address will not be published. Required fields are marked *