By Gregory Hale
Cisco discovered a security incident May 24 targeting its corporate IT infrastructure, and took immediate action to contain and eradicate the attackers, officials said.

Cisco disclosed the incident Wednesday because the attackers published a list of files from the incident to the dark web.

In light of the attack, Cisco did not report any impact to its business, including it products, services, customer data, employee information, intellectual property or supply chain operations.

Cisco did say since the attack, the company has taken steps to remediate the impact of the incident and further harden its IT environment. In addition, the tech giant said no ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident.

“Every cybersecurity incident is an opportunity to learn, strengthen our resilience, and help the wider security community,” Cisco said in a statement. “Cisco has updated its security products with intelligence gained from observing the bad actor’s techniques, shared Indicators of Compromise (IOCs) with other parties, reached out to law enforcement and other partners, and is sharing further technical details via a Talos blog to help cyber defenders learn from our observations.”

Schneider Bold

Employee Compromised
During the investigation, a Cisco employee’s credentials ended up compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized, according to Cisco Talos researchers.

The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user, Talos said.

CSIRT and Talos responded to the event and have not identified any evidence suggesting the attacker gained access to critical internal systems, such as those related to product development, and code signing among others.

After obtaining initial access, the attacker conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.

Once in, the attacker enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN, Talos researchers said in a post. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted the Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The attacker dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms.

Persistent Attack
The attacker was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.

“We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators,” Talos said.

The attack goes to show even a highly trained security organization can suffer an attack.

“Even when protected by an army of 4 million IT Security Pros with a combined IT defense spend in excess of $150 billion, we are still seeing devastating hacks that exploit the most basic element of security – user authentication,” said John Gunn, chief executive at security provider Token. “The industry needs to wake up to the fact that push notification is not the panacea it was sold as.”

“Compromised credentials and phishing – these continue to be the favored methods attackers use to breach corporate networks, and it’s not surprising that Cisco was breached in this manner,” said Naveen Sunkavalley, chief architect at security provider “It can happen to any company.

“What is surprising is the ease with which attackers were able to move laterally inside Cisco’s network after initial access. Attackers escalated privileges, compromised Citrix servers, dumped LSASS, took over domain controllers, and dumped NTDS – essentially credentials for every single Cisco employee. With almost 80,000 employees worldwide, a mandatory password reset isn’t enough to protect from future attacks. Attackers will be able to use and re-use those credentials for a long time,” Sunkavalley said.

Standard Attack
“As demonstrated by Cisco’s latest breach, nothing extraordinary or highly complex was done to accomplish unauthorized access,” said Taylor Ellis, customer threat analyst at Horizon3ai. “In fact, the techniques used were the standard schemes of most fraudsters calling as a trusted party (with highly unconvincing accents).

“Instead of launching a full-scale complex ‘hacking’ production, some cybercriminals are opting to act more like scammers as time goes on. This is because they know that the simple stuff – tactics that target individual victims, such as a single employee – are more likely to go unnoticed and unreported due to every-day human absent mindedness. The Cisco employee who fell victim to this vishing attack received numerous suspicious calls from these ‘trusted’ sources, but like most people with a busy schedule and other preoccupations, they probably did not think anything of it.

“The employee who approved the MFA push request in order to stop the annoying notification flood was merely giving in to natural instinct, and I do not believe anyone else would have done differently. In regards to using technology, most users give little thought to performing any menial action, which is why the act of flooding the victim’s phone with irritating MFA requests is a sure way to achieve a compromise. There is no surprise that social engineering is how this breach was able to occur, but overall, no one can truly prevent these instances from occurring again. Human beings will always be prone to error, but the important factor is to focus on the healing and aftermath of making such mistakes,” Ellis said.


Pin It on Pinterest

Share This