Cisco Confirms Cyberattack Linked to Yanluowang Ransomware Gang
On May 24, 2022, Cisco Systems, a leading networking equipment provider, confirmed it fell victim to a cyberattack that exploited vulnerabilities in its digital infrastructure. The breach occurred after an attacker compromised a Cisco employee’s personal Google account, which contained synchronized passwords from their web browser, enabling unauthorized access to the company’s Virtual Private Network (VPN).
Cisco’s cybersecurity division, Talos, detailed the incident, noting that the attacker gained initial access via the employee’s Google account, which had password syncing enabled through Google Chrome. This allowed the attacker to synchronize Cisco login credentials stored in the browser to the compromised Google account.
On August 10, the Yanluowang ransomware group publicly released a list of files linked to the breach on their data leak site. While the exfiltrated information primarily consisted of data from a cloud storage folder related to the employee’s account, Talos indicated that the contents did not hold significant value.
In facilitating the attack, the adversary employed various tactics, including phishing techniques like voice phishing (vishing) and multi-factor authentication (MFA) fatigue, hoping to trick the employee into providing access to the VPN client. The tactic of MFA fatigue involves bombarding the victim with authentication requests, potentially leading them to unwittingly grant access. Ultimately, the attacker succeeded in prompting the victim to accept an MFA push notification, thereby gaining entry into the company’s network.
Once inside, the attacker launched a series of strategies, including enrolling new devices for MFA and escalating privileges to gain broad permissions across multiple systems. Cisco’s security teams swiftly detected these unauthorized activities, prompting a review of the situation. The threat actor is believed to have connections to the UNC2447 cybercrime group and the well-known LAPSUS$ hacking collective, highlighting a broader trend of interrelated cybercriminal organizations targeting major corporations.
Cisco confirmed that the continued intrusion attempts included establishing backdoor accounts and implementing persistence mechanisms, all indicative of sophisticated attack strategies. The adversary notably leveraged multiple tools, including remote access software like LogMeIn and TeamViewer, as well as offensive tools such as Cobalt Strike and Mimikatz, further increasing their access to internal systems.
Although no ransomware was deployed during this attack, Cisco described the outlined tactics and techniques as consistent with “pre-ransomware activity,” which often precedes significant ransomware deployable actions against a target’s network. Following the breach, attackers attempted to initiate further communication, urging Cisco executives to comply with ransom demands, insinuating secrecy around the incident to manage potential fallout.
In response to the attack, Cisco implemented a company-wide password reset and emphasized that the incident did not affect its business operations or expose sensitive customer, employee, or intellectual property data. Since the breach, the company has claimed successful efforts in blocking subsequent attempts to infiltrate its network.
The incident serves as a stark reminder of the ever-evolving threat landscape. It underscores the necessity for organizations to enforce robust security protocols, including vigilant monitoring of employee accounts, and to educate staff about phishing and MFA fatigue tactics. The MITRE ATT&CK framework can be instrumental in assessing potential adversary tactics, with initial access and persistence being central themes in this incident, emphasizing the importance of comprehensive cybersecurity strategies in mitigating similar threats in the future.
