Cisco hacked by Yanluowang group

Cisco has admitted to a breach on its network. The technology company has shared a blog report that shares details of the security incident that impacted Cisco’s internal network. We look at some key points about the latest episode of hacking of Cisco networks.

Was Cisco a subject of ransomware attack?

Cisco has shared details of the security incident that impacted its corporate network in May 2022. It appears that Cisco corporate network was breached by attackers. The impact was limited to the corporate network and no ransomware footprints were found after detection of the security incident. Cisco confirms that there has been no business impact due to the recent attack.

But, it is clear that the attackers were able to access data that belongs to Cisco. The Yanluowang claims to have 2.8 GB of Cisco’s data. Cisco has admitted to the data theft. However, Cisco has been quick to confirm that all critical and proprietary data is safe. Source code and other proprietary software are unaffected in this data breach at Cisco’s corporate network.

Cisco has categorically stated that no ransomware was deployed on its corporate network.

Who hacked Cisco’s corporate network?

There is no confirmation and claims of the purported attack on Cisco’s corporate network. However, most security analysts are of the opinion that the break-in into the corporate network of Cisco carries footprints of the Yanluowang ransomware operator group. There is a high chance of the Lapsus$ gang of operators being involved in this security incident. This is a data breach incident as the attackers were able to steal 2.8 GB worth of Cisco data in the attack.

The Cisco Talos Intelligence group has mentioned the following:

We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. 

from Cisco blog

What was the impact of the attack on Cisco networks?

In brief, the attacker deployed malicious payloads on Cisco networks. The attacker gained domain administrator rights and also gained local administrator privileges to steal data and dump it an external environment.

The Cisco Talos Intelligence Group has stated the following impact of the exploit into the Cisco VPN and Cisco corporate network:

  • Upon entry into the network, the threat actor conducted a variety of activities for the purposes of maintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the environment. 
  • The attacker began to enumerate the environment, using common built-in Windows utilities to identify the user and group membership configuration of the system, hostname, and identify the context of the user account under which they were operating.
  • The attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment. They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers.  
  • After obtaining access to the domain controllers, the attacker began attempting to dump NTDS from them using “ntdsutil.exe”. They then worked to exfiltrate the dumped NTDS over SMB (TCP/445) from the domain controller to the VPN system under their control.
  • The adversary created an administrative user called “z” on the system using the built-in Windows “net.exe” commands. This account was then added to the local Administrators group. With local administrator level access rights, the attacker tried to dump information and data available locally.
  • The attacker deployed malicious payloads on Cisco’s network. Cisco threat intelligence team is still in the midst of carrying out payload audits to ensure that the network is free of malicious payloads that could serve as backdoor to the network attacks at a future date.

When did the attack on Cisco network take place?

As per Cisco’s security incident report that was released on 10th August, 2022, the attack was first identified on 24th May, 2022. Cisco Talos Intelligence group the Security response teams worked on removing the malicious payloads from the network. Efforts were made to eradicate the threat and contain the damage. Subsequently, the Cisco Talos team worked in preventing future attacks on similar lines. Cisco has confirmed that the threat actors were persistent in trying to access the network after initial cleanup.

Why is Cisco acknowledging the attack after almost 12 weeks?

The ransomware operators published Cisco networks’ on the darkweb on August 10, 2022. This caused Cisco to acknowledge the attack that actually took place sometime in May. The attack was first identified on 24th of May, 2022. Attack mitigation and security response system were initiated by Cisco upon first detection of the intrusion.

Cisco’s response is on expected lines. Most IT companies admit ransomware and other attacks after the ransomware operators fail in getting the desired ransom amounts from the target company.

How did the attack on Cisco network take place?

  • One of the Cisco employee’s private Gmail account was used to initiate coverage of other Cisco employees. The email account had been compromised by the attacker.
  • The user had set Chrome browser to sync the passwords of the Gmail account. Chrome browser became a subject of compromise and attacks by the attacker.
  • Voice phishing messages were sent to the user whose Gmail had been impacted. The user was waylaid into accepting MFA messages being sent by the attacker. The fake Multi-factor authentication messages were in the name of established organizations. Eventually, vishing or Voice Phishing resulted in the attacker gaining entry into Cisco’s network.
  • Through fake MFA messages sent to the user, the attacker was able to get a foot hold in the corporate VPN network of Cisco.
  • Voice Phishing is the source of this attack on Cisco network.