Cisco has confirmed it suffered a cyberattack, caused by the login credentials of an employee being compromised.
While Cisco says it suffered no major consequences from the May 2022 incident, the threat actor, who was able to linger around the network for a little while before being evicted, begs to differ.
According to Cisco, the attackers are initial access brokers tied to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware (opens in new tab) operators. They managed to infiltrate an employee’s personal Google account, which was synced with their browser and which kept all of the login data.
Pushing the intruder out
After that, the attacker conducted a “series of sophisticated voice phishing attacks” that resulted in the employee accepting multi-factor authentication (MFA) push notifications.
That gave them access to the VPN in the context of the targeted user, which they used to move laterally to Citrix servers and domain controllers. “They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers,” Cisco said in its announcement (opens in new tab).
That’s when, according to Cisco, they were spotted, and pushed out. “The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.”
While the company says no serious harm was done, the attackers reached out to BleepingComputer (opens in new tab), to claim otherwise, claiming to have stolen more than 3,000 files, including NDAs, data dumps, and engineering drawings. The entire database weighs 2.75GB, and was published on the extortionist’s data leak site.
Cisco downplayed the theft, claiming the data was non-sensitive and taken from the compromised employee’s Box folder.
“Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations”, it said.
“On August 10 the bad actors published a list of files from this security incident to the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community.”