According to an investigation conducted by Cisco Security Incident Response (CSIRT), the Yanluowang ransomware organisation entered Cisco's corporate network in late May and stole internal data.
What Did The Yanluowang Ransomware Gang Do To Cisco?
After seizing control of a personal Google account of a Cisco employee, the threat actors got access to the victim’s browser with saved credentials. Once they had the victim's details, the assailants began voice phishing attempts in an effort to convince the employee to accept a multi-factor authentication (MFA) push notification they had initiated.
Once the MFA notification was accepted, the attacker gained access to the VPN in the context of the targeted user.
Great details on how Cisco got hacked.
1- Personal Google account of an employee gets compromised - it has password synced enabled.
2- Got all the employee's passwords, including their Cisco VPN credentials.
3- Phishing to accept 2FA
4- They are inhttps://t.co/M5kVfyepKH
— Daniel Cid (@danielcid) August 11, 2022
Also Read: Hacker Who Stole Details From 5 Million Twitter Accounts Shares Selling Price For The Data
The attacker used a series of sophisticated voice phishing attempts to impersonate numerous reputable companies in an effort to persuade the victim to accept push notifications for multi-factor authentication (MFA) that the attacker had started. In the end, the attacker was able to acquire an MFA push acceptance, which gave them access to the VPN in the context of the intended user.
Cisco Talos, which was also a part of the investigation, claims that after gaining initial access, the attacker registered a number of additional devices for MFA and successfully authenticated to the Cisco VPN.
Good on Cisco for disclosing this.
A ransomware group got on their internal network in May. https://t.co/UpBN4hvWIw pic.twitter.com/SMxxaxQYXI
— Kevin Beaumont (@GossiTheDog) August 10, 2022
Before entering several systems, the threat actors advanced to administrator rights. Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as well as other remote access tools like LogMeIn and TeamViewer, were all dropped into the target network by the attackers.
Researchers at Talos also stated that the attackers failed to obtain the IT behemoth's critical data.
The analysis report published by Cisco Talos said:
“We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account. The data obtained by the adversary in this case was not sensitive.”
#yanluowang ransomware has posted #Cisco to its leaksite. #cybersecurity #infosec #ransomware pic.twitter.com/kwrfjbwbkT
— CyberKnow (@Cyberknow20) August 10, 2022
Cisco said that throughout the , the Yanluowang gang did not use any ransomware on their network. The Yanluowang ransomware organisation is attempting to blackmail the business and has published a list of files that have been taken from it. If Cisco does not pay the ransom, the group has threatened to release all the material that has been stolen.
EM360, as you know it is about to change. CIA hackers, Google visionaries and some of the other biggest influencers from the tech industry are waiting to engage with you on the technologies that will define the future of enterprise tech. All you have to do is sign up as a premium EM360 Tech Community Member.
Features You Can Unlock As An EM360 Tech Community Member:
- Engage with the leading influencers of Cyber Security, Data Management, Enterprise AI and more.
- Gain access to our expanding library of exclusive content and resources.
- Get insights and opinions from industry leaders on the latest trending topics.
- Rise through the ranks to become an Industry Guru and GET PAID to express your opinion.
If you are a tech enthusiast, this is the place you need to be. Find out more about the EM360 Tech Community.