Networking giant Cisco was the victim of a cyberattack in May. In a notice posted on Wednesday, the company announced that it discovered a security incident that targeted its corporate IT infrastructure on May 24. Though some files were compromised and published, Cisco said that no ransomware has been found, that it managed to block additional attempts to access its network beyond the initial breach, and that it has shored up its defenses to prevent further such incidents.
“Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations,” the company said in its notice. “We have also implemented additional measures to enhance the security of our systems and are sharing technical details to help protect the wider security community.”
A supplemental notice published by Cisco Talos, the company’s threat intelligence arm, revealed greater details about the attack. Upon its investigation, Cisco Talos found that an employee’s credentials were compromised after the attacker took control of a personal Google account in which the individual’s credentials were stored and synchronized.
Following that initial breach, the attacker used voice phishing attacks in which they impersonated trusted organizations to convince users to accept fraudulent multi-factor authentication notifications. Those MFA notifications ultimately proved successful, thereby giving the attacker access to a VPN used by employees.
SEE: Mobile device security policy (TechRepublic Premium)
Pointing to the potential culprit, Cisco Talos said that the attack was probably carried out by someone identified as an initial access broker with ties to the UNC2447 cybercrime gang, the Lapsus$ group, and Yanluowang ransomware operators. Initial access brokers typically breach organizations and then sell the access to ransomware gangs and other cybercriminals.
Specializing in ransomware, the UNC2447 gang threatens to publish whatever data it compromises or sell the information on hacker forums unless the ransom is paid. Relatively new to the world of cybercrime, the Lapsus$ group uses social engineering tactics, such as MFA requests, to trick its victims. Named after the Chinese deity that judges the souls of the dead, Yanluowang ransomware attackers vow to publicly leak the stolen data and launch DDoS attacks unless the ransom payment is made.
“This was a sophisticated attack on a high-profile target by experienced hackers that required a lot of persistence and coordination to pull off,” said Paul Bischoff, privacy advocate with Comparitech. “It was a multi-stage attack that required compromising a user’s credentials, phishing other staff for MFA codes, traversing CISCO’s corporate network, taking steps to maintain access and hide traces, and exfiltrating data. Cisco says the attack was most likely carried out by an initial access broker, or IAB. Although some data was exfiltrated, an IAB’s main role is to sell other hackers access to private networks, who might later carry out further attacks such as data theft, supply chain attacks on Cisco software, and ransomware.”
A tweet posted by threat intelligence provider Cyberknow included a screenshot of the leak site of the Yanluowang ransomware group showing Cisco as its latest victim. The Cisco Talos notice displayed a screenshot of an email received by Cisco from the attackers. Threatening Cisco that “no one will know about the incident and information leakage if you pay us,” the email shows a directory of some of the files breached in the attack.
Cybersecurity and technology vendors are increasingly being targeted by cybercriminals. And the attacks are being conducted for several reasons, according to ImmuniWeb Founder and Cybersecurity Expert Ilia Kolochenko.
“First, vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply-chain attacks,” Kolochenko said. “Second, vendors frequently have invaluable cyber threat intelligence.”
In search of useful threat intelligence, attackers conduct surveillance to determine the status of investigations by private vendors and potential police raids by law enforcement, Kolochenko explained.
“Third, some vendors are a highly attractive target because they possess the most recent DFIR (Digital Forensics and Incident Response) tools and techniques used to detect intrusions and uncover cybercriminals, whilst some other vendors may have exploits for zero-day vulnerabilities or even source code of sophisticated spyware, which can later be used against new victims or sold on the Dark Web,” Kolochenko added.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
In addition to describing the attack and Cisco’s response, the Talos group provided tips for other organizations on how to combat these types of attacks.
Many attackers like to use social engineering tricks to compromise an organization. User education is an important step toward fighting such attempts. Make sure your employees know the legitimate methods that support staff will use to contact them. With the abuse of MFA notifications, also ensure that employees know how to respond if they receive unusual requests on their phones. They should know whom to contact to help determine if the request is a technical glitch or something malicious.
Adopt strong device verification by setting up strict controls about device status and be sure to limit or block enrollment and access from unmanaged or unknown devices. Implement risk detection to identify unusual events such as a new device being used from an unrealistic location.
Before allowing VPN access from remote endpoints, use posture checking to ensure that connecting devices match your security requirements and that rogue devices not previously approved are prevented from connecting.
Network segmentation is another vital security method as it can better protect important assets and help you better detect and respond to suspicious activity.
By relying on centralized logs, you can better determine if an attacker tries to remove any logs from your system. Make sure that the log data from endpoints is centrally collected and analyzed for suspicious behavior.
In many incidents, attackers targeted the backup infrastructure to prevent an organization from restoring files compromised in an attack. To counter this, make sure that your backups are stored offline and regularly test recovery to make sure you can bounce back after an attack.