Overview of the Cisco data breach
On Wednesday, August 10th, 2022, the networking giant, Cisco, confirmed that it suffered a data breach on 24th May of this year. Below, we’ll talk you through how the hack happened, what data was lost and who was responsible.
We’ll also discuss key learnings from the incident, so you can make sure your organization doesn’t experience a similar attack.
How did the Cisco breach happen?
In May of this year, threat actors managed to infiltrate Cisco’s network by compromising the credentials of a Cisco employee’s personal Google account. Once in the account, they managed to gain access to the individual’s corporate password due to the password synchronization feature in Google Chrome.
Now, like many companies, Cisco makes use of multi-factor authentication to safeguard access to its corporate VPN, but this attacker was stealthy. It used a combination of voice phishing and SMS-ishing to harass the employee with false multi-factor authentication push requests over the phone, impersonating trusted support companies that Cisco works with.
The employee, none the wiser to the fact that these requests were fraudulent, eventually shared their details with the attacker, enabling them to access Cisco’s network.
Once they managed to gain a foothold in the corporate network, the cyber criminals moved to the company’s Citrix servers and domain controllers.
In a blog post on the attack, Cisco Talos explained: “They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.”
From there, the malicious actors used enumeration tools such as secretsdump to scour for more data and also installed a backdoor – likely with the intention of triggering a ransomware attack further down the line, although no such payloads were found.
As Cisco said: “While we did not observe ransomware deployment in this attack, the TTPs used were consistent with ‘pre-ransomware activity,’ activity commonly observed leading up to the deployment of ransomware in victim environments.”
Luckily, before this could happen, Cisco managed to discover the attackers and booted them out of the network – although they kept trying to regain access for the next few weeks.
“After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment,” Cisco Talos stated.
“The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.”
Cisco has since released two Clam AV detections for the backdoor to help other security professionals detect the malware used in this attack.
Who hacked Cisco?
The guys behind this attack are known as the Yanluowang ransomware threat group, with ties to other well-known cyber crime groups like Lapsus$ and UNC2447.
To put this in context, Lapsus$ is responsible for some of the most high-profile data breaches that have happened recently, including Microsoft, Okta and T-Mobile.
What data was stolen?
According to Cisco, the threat actors did not steal any sensitive information. As they said in their statement:
“Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.
“On August 10 the bad actors published a list of files from this security incident to the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community.”
But wait, the hack happened in May. Why is it only coming out now?
The hack started to come to light because the group behind the attack recently emailed stolen files from Cisco to BleepingComputer, claiming responsibility for the incident.
As BleepingComputer stated: “The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.”
“The threat actors also sent a redacted NDA document stolen in the attack to BleepingComputer as proof of the attack and a “hint” that they breached Cisco’s network and exfiltrated files.”
A week later, the attackers also announced the data breach publically on the Dark Web.
Learnings from the Cisco data breach
Like the recent Twilio data breach, this hack shows just how effective social engineering attacks can be, where hackers trick employees into sharing sensitive information via email, SMS or phone through impersonation and persuasion.
Even though phishing attacks have been around since the dawn of the internet, there’s no way to 100% stop human error. To that end, you need to make sure you equip your employees with the right tools to avoid falling for scams.
Polymer DLP can help you mitigate the risks of phishing scams. Our self-learning engine features in-app training prompts that nudge users towards secure choices in real time.
On top of awareness training, Polymer DLP prevents privilege abuse through data access control mechanisms, which ensure that only legitimate, verified employees are able to access company data. This tackles the issues of privilege misuse and compromise that are common in successful social engineering attacks.
Learn more about Polymer DLP for insider threats now.