Thu | Aug 11, 2022 | 3:41 PM PDT

Networking equipment giant Cisco confirmed it fell victim to a cyberattack earlier this year that was orchestrated by a threat actor associated with the Yanluowang ransomware gang.

Cisco became aware of the incident on May 24, 2022, and immediately activated the Cisco Security Incident Response Team (CSIRT) and Cisco Talos to investigate the situation.

The company learned that an employee's credentials were compromised after the threat actor took control of a personal Google account in which the credentials were saved in the victim's browser through syncing. Cisco explains:

"Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee's personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account.

After obtaining the user's credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka 'vishing') and MFA fatigue, the process of sending a high volume of push requests to the target's mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving."

Once the threat actor had access, they conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment. 

Cisco Talos says it was able to successfully remove the attacker from the environment, though they repeatedly tried to regain access for weeks after the initial compromise.

There is no evidence that suggests the threat actor gained access to critical internal systems, such as those related to product development, code signing, etc. 

Cisco attacker connected to multiple ransomware gangs

The company believes that the attacker is an individual who has previously been identified as an initial access broker (IAB) and has ties to the UNC2447, Lapsus$, and Yanluowang cybercrime gangs. 

Talos discusses the connection to these criminal organizations:

"Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$.

IABs typically attempt to obtain privileged access to corporate network environments and then monetize that access by selling it to other threat actors who can then leverage it for a variety of purposes.

We have also observed previous activity linking this threat actor to the Yanluowang ransomware gang, including the use of the Yanluowang data leak site for posting data stolen from compromised organizations."

Though no ransomware was actually deployed during this cyberattack, Cisco did say that the TTPs used were consistent with "pre-ransomware activity," meaning the typical activity observed before ransomware deployment.

Cisco Talos provides additional technical information of the attack in a detailed report.

Protect your organization against cyberattacks

After reading the report from Talos, you might be wondering how your organization can better defend against cyberattacks. Some security professionals shared their wisdom on the matter with SecureWorld News.

Mike Parkin, Senior Technical Engineer at Vulcan Cyber, shares his thoughts on the Cisco cyberattack:

"Detecting attacks against an organization's staff that falls outside their work environment can be very difficult. That appears to be what happened with this attack on Cisco. The attackers compromised a user's personal account and leveraged that to break into the corporate environment. Without visibility into their user's personal assets, there's not much they can do to protect them. Though this does show some of the risks of having our personal and professional lives sharing the same systems.

Once a threat actor gets that first toehold, there is more the Security Operations team can do to detect and repel the attack. But when it's targeting the user's own accounts there's not much they can do."

What can be done to defend against these attacks?

Dimitri Nemirovsky, Co-Founder and COO of Atakama, discusses what organizations should do:

"This is another example of why it is no longer sufficient to rely on identity and rules-based access controls to safeguard critical data. Organizations must take a more granular look at how the data itself is protected from these threats. Breached credentials and central encryption key stores have time and again proven to be a targeted point of attack and failure in the face of a ransomware attack.

Even conventional encryption practices are nullified once credentials are breached, proving carte blanche access to sensitive data for any attacker on the network. A decentralized, multifactor approach to cryptographic key management protects organizations from data exfiltration eliminating the threat of data hitting the dark web."