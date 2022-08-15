



Cisco confirms a security breach by the Yanluowang ransomware gang in May 2022.

Networking giant Cisco Systems is the latest victim of a hack. The company confirmed that the attackers used the compromised Google account of one of its employees after the Yanluowang ransomware gang added a list of files obtained from the company to a data leak site. .

Hacking details

On Wednesday, August 10, 2022, Cisco Systems confirmed its experience with a cyber attack that took place on May 24, 2022. Sharing its findings, the network equipment provider said the attackers obtained details of employees’ private Google accounts. This account contained a password that was synced with his web at Cisco. browser.

Attackers gained initial access to VPN after successfully compromising Google accounts. Credentials were synced via the Chrome browser, where the targeted employee also stored Cisco credentials.

As a result, an attacker could use this information to synchronize Google accounts. On August 10th, the Yanluowang ransomware gang indirectly took responsibility for the breach by publishing the files stolen in the data breach.

Yanluowang ransomware gang website (Image: Hackread.com) investigation into possible compromise

Cisco Talos launched an investigation into the May hack and cited it as a potential breach in a detailed report released Wednesday. The Cisco Talos Threat Research Team conducted the investigation.

Forensic details confirmed the involvement of the Yanluowang threat group with ties to the Lapsus$ and UNC2447 cybercriminal groups. For reference, Lapsus$ was behind some of the most high-profile data breaches in recent months, including Microsoft, Okta, T-Mobile, Samsung, and Ubisoft.

Regarding the Cisco breach, the researchers concluded that while the attackers were unsuccessful in deploying the ransomware, they managed to infiltrate the network and deploy a series of hacking tools. The attack also scanned the company’s internal network, according to the researchers, a common technique employed prior to deploying ransomware.

How did the attacker bypass MFA?

Cisco says the hackers used various techniques to bypass the multi-factor authentication feature linked to the VPN client. This includes voice phishing (aka vishing) and his MFA fatigue. In MFA fatigue, the attacker sends a large number of push her requests to the target device, so the user has no choice but to accept to stop receiving notifications.

Threat researchers at Cisco Talos have confirmed that a multi-factor authentication (MFA) spoofing attack was launched against an employee and ultimately succeeded, allowing them to run VPN software. After getting my initial access, I registered various new devices for MFA and successfully authenticated against her company’s VPN.

User education is also an important part of combating MFA bypass techniques given that attackers have demonstrated the ability to gain initial access using a wide range of techniques. Equally important in implementing MFA is ensuring that employees are educated on what to do and how to respond if they receive an erroneous push her request on their respective phones. It is also imperative to educate employees on who to contact in the event of such an incident to help determine if the event is technical or malicious.

Cisco Talos Threat Researcher

The attacker then accelerated to administrative privileges. After that I was able to login to multiple systems. This raised suspicion and the Cisco Security Incident Response Team stepped in to mitigate the threat.

Further digging revealed that the ransomware gang used remote access and aggressive security tools in their attacks. These tools included:

Cisco then implemented password resets across its internal network and published its findings in a report. The company created two of his Clam AntiVirus signatures to prevent additional breaches.

Sources 1/ https://Google.com/ 2/ https://www.hackread.com/cisco-confirms-breach-employee-google-account-hacked/

