In recent developments within the cybersecurity landscape, the Serbian hacker group, IntelBroker, has made headlines for its audacious breaches of major corporations, including Apple Inc., Facebook Marketplace, AMD, and Zscaler. They have recently claimed to have compromised Cisco’s infrastructure, reportedly releasing around 2.9 GB of data purporting to originate from Cisco’s Cloud Instance.
IntelBroker raised alarms in October 2023, asserting they illicitly accessed Cisco’s DevHub Instance and exfiltrated approximately 4 terabytes of data. The data reportedly encompasses sensitive elements such as SASE certificates, source code, details about the Identity Services Engine, information related to WebEx products, user credentials, confidential documents, and encryption keys.
Initially, Cisco refuted these claims, denying that any data had been stolen from their servers. However, within a fortnight, they retracted their denial without offering further explanation, hinting at possible internal discussions regarding the breach.
Later in December, Cisco adjusted its stance, acknowledging that a portion of the compromised data was intended for public access as part of an open-source initiative. However, they conceded that sensitive datasets had been wrongfully exposed and accessed by unauthorized individuals.
This acknowledgment lends credibility to IntelBroker’s assertions, as the compromised data is now reportedly being circulated on the dark web, with resellers capitalizing on the stolen information for profit.
IntelBroker’s operations are thought to be tied to an Iranian Persistent Threat Group and include managing BreachForums, a cyber-leak forum notorious for aggregating data leaks from over 400 organizations worldwide. This criminal consortium specializes in credential theft and targets accessible applications, such as cloud-based infrastructures, to generate income through ransom demands and the resale of stolen data.
In the timeframe of 2023-2024, IntelBroker also developed the Endurance Ransomware, with its source code recently disclosed on GitHub. This file-encrypting malware is designed to overwrite targeted files and subsequently erase their originals, incorporating destructive elements of Shamoon malware. When compromised by Endurance, victims are frequently left with limited options, as backup systems are also rendered ineffective.
The methods employed by IntelBroker align with various tactics identified in the MITRE ATT&CK framework, particularly concerning techniques such as initial access through compromised credentials, persistence mechanisms to maintain access, and privilege escalation to exploit superuser or administrative capabilities during intrusions.
As this incident unfolds, it serves as a crucial reminder for business owners to enhance their cybersecurity postures and remain vigilant against such increasingly sophisticated threats.
