Network supplier Cisco has become a victim of network intrusion. The company provides information about the attack by releasing the results of the investigation. However, cybercriminals did not steal any sensitive data.
looking for clues
According to the analysis, Cisco noticed a breach in late May this year and deployed its own security departments, CSIRT and Talos, to prevent and investigate the attack. It turned out that the attackers had gained access to an employee’s personal Google account. The Google account had password synchronization activated, so access to Cisco systems was also within reach.
The attackers attempted to trick the victim into verifying multi-factor authentication (MFA) requests through phone calls and SMS. Among other things, he started several SMS to the employee to confirm the mistake or just to get peace again. At some point, a request was actually confirmed and access to Cisco’s VPN was issued.
This gave attackers early access. They then took immediate action to infiltrate the network and investigate further. Among other things, they have enabled access to other devices that use the MFA. They have elevated their administrative privileges, allowing them to log on to more systems. At this point, the Cisco Security Incident Response Team (CSIRT) was alerted.
Attackers install multiple devices
IT forensic scientists found a lot of equipment used by the attackers. At the time, the intruders already had remote access software such as LogMeIn or TeamViewer installed. Also “safety equipment” such as Cobalt Strike, Powersploit, Mimictz and Impacket. In addition, they have set up backdoor accounts with admin rights and persistence mechanisms for permanent nesting.
During the attack, Cisco IT security experts witnessed several attempts to smuggle information about the environment. All that could be found was evidence that the only successful data leak involved the contents of a Box folder – a cloud storage service. The folder was associated with the victim’s account and their Active Directory credentials. The company assured that it did not contain any sensitive information.
After intercepting the attack and retaliated, IT experts observed further access attempts for a few weeks, with cybercriminals trying to gain access to the network again. Above all, they rely on weak passwords followed by mandatory password changes, in which employees exchange only one character at the end. At first, attackers relied on anonymous services like Tor, only to later switch to compromised access in the United States.
Cybercriminals contacted Cisco managers, some with screenshots of the Box folder contents. However, there was no concrete demand for money or threats in the email.
IT forensic scientists have come to the conclusion that it is highly likely that a cyber gang, acting as a so-called Initial Access Broker (IAB), is behind the attacks. It sells access to other cyber gangs and in this case ties to the Lapsus$ gang and the group UNC2447, which in turn has ties to Russia. Although there was no ransomware attack, Cisco found earlier links between the attackers and ransomware gang Yanluowang.
According to the company, thieves may not have access to critical systems like development systems or code signing. Cisco describes in detailed analysis Compromise Indicators (IoCs), classification of attack techniques according to matter attack mapping, IP addresses of attackers and registered domains, for example for phishing attacks on employees.
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.