Cisco has revealed that it has fought off a potentially damaging cyber incident that unfolded after a threat actor conducted a phishing attack on one of its employees by abusing their personal Google account to access its network.

The network hardware supplier said the attacker was likely an initial access broker (IAB) with links to the UNC2447 cyber crime gang, a Chinese ransomware operator known as Yanluowang, and the Lapsus$ group – a gang of teens who abused failings in multifactor authentication (MFA) to target multiple tech companies earlier this year.

Cisco disclosed it had been attacked on 10 August after its name appeared on Yangluowang’s dark web leak site (see image below), but the attack unfolded more than two months ago on 24 May, since when the organisation’s internal Cisco Security Incident Response (CSIRT) and its Cisco Talos cyber unit have been working to remediate it.

#yanluowang ransomware has posted #Cisco to its leaksite. #cybersecurity #infosec #ransomware pic.twitter.com/kwrfjbwbkT

— CyberKnow (@Cyberknow20)
August 10, 2022

“During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronised,” said the Talos team in its disclosure notice.

“The attacker [then] conducted a series of sophisticated voice phishing attacks under the guise of various trusted organisations attempting to convince the victim to accept MFA push notifications initiated by the attacker.

“The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to [the] VPN in the context of the targeted user.”

After gaining access, the attacker conducted a variety of activities to achieve persistence, cover their tracks and elevate their privileges within Cisco’s network. They were able to move into Cisco’s Citrix environment, compromise a number of servers and obtained privileged access to domain controllers.

Ultimately, they were successfully able to exfiltrate the contents of a Box folder associated with the compromised employee’s account, and employee authentication data from Active Directory.

Once detected and removed from the network, the threat actor repeatedly attempted to regain access by targeting employees who they suspected had made single character changes to their passwords following a mandated credential reset across Cisco. They were unsuccessful in this.

The threat actor also attempted to email various high-level Cisco staffers threatening to leak the data stolen from Box, but they did not make any specific threats or extortion demands.

No ransomware was actually deployed at any point, and CSIRT and Talos said they had not found any evidence that the attacker had accessed any critical systems.

“The incident was contained to the corporate IT environment and Cisco did not identify any impact to any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations,” said Cisco in a statement.

“No customer [or] partner action is required for Cisco products or services. Cisco has updated its security products with intelligence gained from observing the bad actor’s techniques, shared Indicators of Compromise [IOCs] with other parties, reached out to law enforcement and other partners, and is sharing further technical details via a Talos blog to help cyber defenders learn from our observations.”

It added: “Cisco has extensive IT monitoring and remediation capabilities. We have used these capabilities to implement additional protections, block any unauthorised access attempts, and mitigate the security threat. We are also putting additional emphasis on employee cyber security hygiene and best practices to avoid similar instances in the future.”

Immuniweb founder and CEO Ilia Kolochenko said that on this occasion, Cisco had been lucky: “Cyber security and technology vendors are now massively targeted by sophisticated threat actors for different interplayed reasons,” he said.

“First, vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply chain attacks.

“Second, vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counter-intelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids.

“Third, some vendors are a highly attractive target because they possess the most recent DFIR tools and techniques used to detect intrusions and uncover cyber criminals, whilst some other vendors may have exploits for zero-day vulnerabilities or even source code of sophisticated spyware, which can later be used against new victims or sold on the dark web.

“That being said, we shall prepare for a continually growing volume and sophistication of cyber attacks targeting technology companies, namely security vendors,” added Kolochenko.