The large technology company Cisco confirmed in recent days that it was the victim of a cyberattack perpetrated last May. The confirmation comes because the Yanluowang ransomware group published a list of files stolen from Cisco. But there are many more details surrounding this attack and what has been shared these days. Read everything in the following lines.
Cisco confirms hack due to Yanluowang’s post
On August 10, the Yanluowang ransomware gang published a list of files associated with this attack on its data leak site. For this reason, Cisco confirmed that they were victims of a hack last May. However, it must be clarified that the group has never directly confirmed that they are the original authors of this hack.
“Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account,” Cisco Talos said in a detailed write-up. “The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account.”
This attack on Cisco demonstrates something that has been said for many years: professional and personal accounts should never be mixed. In the case of this employee, having his Cisco credentials saved in the Google Smart Lock associated with his personal account was the weakness that the cybercriminals were waiting for. Despite managing to infiltrate its internal system, the company does not believe that within the compromised information there is sensitive or highly important data.
In addition to this, the attackers also used a technique derived from phishing, known as vishing, which is nothing more than a deception through voice, along with multi-factor authentication (MFA) fatigue that managed to tire the user to give his credentials thanks to the number of push notifications.
“The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user,” Cisco Talos noted.
In addition to Yanluowang, there are also indications that LAPSUS$ and UNC2447 are behind the attack, the latter group known to have roots in Russia. Cisco explains that after gaining access to the worker’s account, they were able to access different systems through it, until they reached the Citrix environment and its servers. Using Remote Desktop Protocol (RDP) and Citrix itself, they were able to move files between systems, but never used ransomware.
“While we did not observe ransomware deployment in this attack, the TTPs used were consistent with ‘pre-ransomware activity,’ activity commonly observed leading up to the deployment of ransomware in victim environments,” the company said.
Finally, they ensured that no data of their clients, employees, or any sensitive information was compromised. They also started a company-wide password reset. The San Jose-based company said that, since May, they have succeeded in blocking any further attempts at unauthorized access to their systems.
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.
Facebook: Eagle Tech Corp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp