An attacker infiltrated Cisco’s corporate network and stole data in the latest successful attack that saw social engineering calls used to help them bypass multi-factor authentication (MFA), the network giant has disclosed. Whilst no critical systems were breached, the details of the compromise emphasise anew the extent to which attackers are increasingly bypassing MFA and the need for renewed employee training to help mitigate this risk.
The initial Cisco network hack happened in May 2022, and Cisco said its security teams had been observing the attacker’s activity since then. Yesterday (August 10) the Chinese Yanluowang ransomware group posted a list of the stolen files to its victim list, pushing Cisco to disclose further information and IOCs on the breach.
A blog by Cisco's threat intelligence team details how the attack gained and sustained access and includes a number of details that may be of interest to CISOs and security teams looking to improve their security posture, as social engineering and phishing attacks designed to bypass MFA continue to mount.
The initial compromise was of a personal Google account belonging to a Cisco employee. The account had stored credentials synchronised from the victim's browser. The attacker, believed to be an initial access broker tied to a ransomware gang, then used "MFA fatigue", where huge numbers of authentication push requests are sent to the target’s device, in the hope they will approve one, either accidentally or to stop the notification flood, as well as a flurry of voice-phishing (“vishing”) calls in which the attacker purported to be from a range of support providers to Cisco, to gain further access to a corporate VPN account from which they could escalate the breach.
See also: From C2 to C3, hackers get esoteric with data exfiltration
“Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user,” said Cisco Talos.
Cisco also recommended workers be better-informed about MFA: “Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.”
After the employee finally accepted an authentication request, the attacker added new MFA devices and got into the Cisco VPN, escalating to administrative privileges and installing tools including TeamViewer, Cobalt Strike, Mimikatz and more. The network company says the escalation to admin privileges alerted its security team to the Cisco network hack.
The incident comes amid a flurry of reports of social engineering-initiated breaches against technology vendors, with both Twilio and Cloudflare admitting attackers gained access to their systems this week.
(Cloudflare's writeup may be useful for enterprises to note. As the company emphasised, "three Cloudflare employees fell for the phishing message and entered their credentials. However, Cloudflare does not use TOTP codes. Instead, every employee at the company is issued a FIDO2-compliant security key from a vendor like YubiKey. Since the hard keys are tied to users and implement origin binding, even a sophisticated, real-time phishing operation like this cannot gather the information necessary to log in to any of our systems. While the attacker attempted to log in to our systems with the compromised username and password credentials, they could not get past the hard key requirement...")
Cisco network hack was 'pre-ransomware activity'
According to the Cisco report, the attacker’s activity appeared to be “pre-ransomware” in nature – the preparatory work done before encrypting and/or exfiltrating data, which Cisco said it had seen frequently in the past.
“Many of the TTPs observed are consistent with activity observed by [Cisco Talos Incident Response] during previous engagements. Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe deployment of ransomware in the victim environments,” said Cisco.
The firm also said the Cisco network hack attacker repeatedly tried to steal data, apparently without much success: “We confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with a compromised employee’s account and employee authentication data from active directory. The Box data obtained by the adversary in this case was not sensitive.”
A quick look at the list published by Yanluowang shows 3,176 files in 2,111 directories, totalling around 2.8GB. While the files listed to appear to include some coding projects, a lot of the files appear to be non-disclosure agreements (many saved as PowerPoint files, which is a discussion for another time, Cisco…).
Follow The Stack on LinkedIn
According to the blog post, the attacker was probably an initial access broker (IAB), potentially with ties to Lapsus$, Russian-linked group UNC2447, and the Chinese group Yanluowang – based on the tools and techniques they used. IABs break into organisations, then sell the access to groups such as Lapsus$ and co.
Once the attacker was kicked out of Cisco’s network, they carried on looking for access over the next few weeks: “In most cases, the attacker was observed targeting weak password rotation hygiene following mandated employee password resets. They primarily targeted users who they believed would have made single character changes to their previous passwords, attempting to leverage these credentials to authenticate and regain access to the Cisco VPN.
“The attacker was initially leveraging traffic anonymization services like Tor; however, after experiencing limited success, they switched to attempting to establish new VPN sessions from residential IP space using accounts previously compromised during the initial stages of the attack. We also observed the registration of several additional domains referencing the organization while responding to the attack and took action on them before they could be used for malicious purposes,” said the blog.
Cisco provides a full list of TTPs and IOCs on its blog, and noted it created two ClamAV signatures from the attack.