Cisco confirmed that their corporate network was breached by the Yanluowang ransomware group in late May and the threat actor tried to extort them by threatening to leak the stolen files online.
The company stated that the attackers could access and steal non-sensitive data from a Box folder linked to a compromised employee’s account.
According to a Cisco spokesperson, they did not identify any impact to its business due to this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.
On August 10 the threat actors published a list of files from this security incident to the dark web.
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser.
The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations.
The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user.
After getting a foothold on the company’s corporate network, Yanluowang gang spread laterally to Citrix servers and domain controllers. Then they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor.
Ultimately, Cisco detected and removed them from its environment, but they continued trying to regain access over the following weeks.
Last week, the threat actor behind the Cisco hack claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings. Now they have added the Cisco breach on their data leak site and published a directory listing.
However, Cisco said that they have found no evidence of ransomware payloads during the attack.
Image Credits : Futurumresearch
The post Cisco hacked by Yanluowang ransomware gang first appeared on Cybersafe News.