Cisco Hacked By Yanluowang Ransomware Gang, 2.8GB Allegedly Stolen
Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online.
The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee’s account.
Cisco did not identify any impact on our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.
On August 10 the bad actors published a list of files from this security incident on the dark web.
Stolen employee credentials used to breach Cisco’s network
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account.
The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks.
The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user.
Cisco Talos said they moved into the Citrix environment, compromising a series of Citrix servers, and eventually obtained privileged access to domain controllers.
Ultimately, Cisco detected and evicted them from its environment, but they continued trying to regain access over the following weeks.
Hackers claim to steal data from Cisco
Last week, the threat actor behind the Cisco hack emailed BleepingComputer a directory listing of files allegedly stolen during the attack.
The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.
The threat actors also sent a redacted NDA document stolen in the attack to BleepingComputer as proof of the attack.
No ransomware was deployed on Cisco’s systems
Cisco also said that, even though the Yanluowang gang is known for encrypting their victims’ files, it found no evidence of ransomware payloads during the attack.
The TTP used was consistent with the ‘pre-ransomware activity,’ activity commonly observed leading up to the deployment of ransomware in victim environments.
We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB).
With ties to the UNC2447 cybercrime gang, Lapsus$ group, and Yanluowang ransomware operators.
