Cisco Systems has publicly denied allegations regarding a recent data breach, following reports from the Kraken ransomware group, which announced the release of confidential information purportedly extracted from the company’s internal network on its dark web leak site. The claims reported by Cyber Press included the exposure of credentials associated with Cisco’s Windows Active Directory environment.
The leaked data reportedly includes usernames linked to their respective domains, unique relative identifiers (RIDs) for user accounts, and hashed password representations (NTLM hashes). According to the findings, the compromised accounts span a range of privileges, including those of privileged administrators, standard users, service accounts, machine accounts related to domain controllers, and the critical Kerberos Ticket Granting Ticket (krbtgt) account.
Investigation into the leak suggests that credential-dumping tools such as Mimikatz, pwdump, or hashdump were likely utilized by the attackers to retrieve this sensitive information. These tools are frequently exploited by cybercriminals and advanced persistent threat (APT) actors to capture credentials stored in system memory. Accompanying the leaked data was a menacing message from the attackers, who implied intentions to inflict further damage.
In response to these claims, Cisco asserted that the exposed credentials are actually from a previously reported security incident that occurred in May 2022. The company stated, “Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation, there was no impact to our customers.”
The original security incident involved unauthorized access gained through sophisticated voice phishing (vishing) attacks on a Cisco employee’s personal Google account, which contained confidential company credentials. By circumventing multi-factor authentication (MFA), attackers managed to gain access to the employee’s VPN, although Cisco confirmed the intruder was successfully removed, despite later attempts to regain entry.
Cisco’s Cyber Security Incident Response Team (CSRIT) and Talos teams have found no evidence to suggest that the attackers accessed critical internal systems, such as production environments or code signing infrastructures. During the investigation into the May incident, Cisco believed the breach was linked to an initial access broker (IAB) associated with threats tracked by Mandiant, notably the group UNC2447, which is infamous for utilizing FiveHands malware along with the Lapsus$ and Yanluowang ransomware operations.
While the claims from the Kraken ransomware group relate to an older incident, the resurgence of this information underscores the rising prevalence of credential-based cyberattacks, highlighting an urgent need for businesses to adopt robust security frameworks. Organizations should consider employing proactive defense strategies, including forced password resets, disabling NTLM authentication, utilizing multifactor authentication, and actively monitoring access logs for unauthorized activities.
The tactics used in this incident align with several MITRE ATT&CK categories, notably initial access and credential dumping, which underscore the necessity of rigorous cybersecurity measures in today’s threat landscape. As the frequency of such attacks continues to escalate, businesses must remain vigilant and prioritize their security postures to mitigate potential risks.
