Cisco has confirmed that there has been a cyber attack due to the breach of employee login details.
While Cisco says it didn’t suffer any serious consequences from the May 2022 incident, a threat handler who was able to stay online for a while before being evicted is begging for a different one.
According to Cisco, the attackers are initial access brokers tied to the UNC2447 cybercriminal gang, a group of actors dealing with Lapsus $ threats and Yanluowang ransomware. (opens in a new tab) operators. They managed to infiltrate the employee’s personal Google account, which synced with their browser and kept all login details.
Pushing the intruder out
The attacker then launched a “series of sophisticated voice phishing attacks” that resulted in the employee accepting multi-factor authentication (MFA) push notifications.
This gave them access to the VPN in the context of the target user, which they used to move sideways to Citrix servers and domain controllers. “They moved to the Citrix environment, compromising the Citrix server series, and eventually gained privileged access to domain controllers,” Cisco said in his announcement (opens in a new tab).
That’s when, according to Cisco, they were noticed and pushed out. “The threat actor has been successfully removed from the environment and has shown persistence repeatedly trying to regain access within weeks of the attack; however, these attempts were unsuccessful.
While the company said no serious damage was done, the attackers contacted: A hissing computer (opens in a new tab)to argue otherwise, claiming to have stolen over 3,000 files, including NDAs, data snapshots, and engineering drawings. The entire database weighs 2.75 GB and was published on the extortionist’s data leak page.
Cisco downplayed the theft, claiming that the data was non-confidential and had been retrieved from the victim’s Box folder.
“Cisco did not identify any impact on our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property or supply chain operations,” it wrote.
“On August 10, bad actors released a list of files from this dark web security incident. We have also implemented additional measures to protect our systems and are sharing technical details to help protect the wider security community. “