Cisco has confirmed that there has been a cyber attack due to the breach of employee login details.
While Cisco says it didn’t suffer any serious consequences as a result of the May 2022 incident, a threat entity that was able to stay online for a while before being evicted is begging for a different one.
According to Cisco, the attackers are initial access brokers tied to the UNC2447 cybercriminal gang, a group of actors dealing with Lapsus $ threats and Yanluowang ransomware. (opens in a new tab) operators. They managed to infiltrate the employee’s personal Google account, which was syncronized with their browser and contained all of the login credentials.
Pushing the intruder out
The attacker then launched a “series of sophisticated voice phishing attacks” that resulted in the employee accepting multi-factor authentication (MFA) push notifications.
This gave them access to the VPN in the context of the target user, which they used to move sideways to Citrix servers and domain controllers. “They moved to the Citrix environment, compromising the Citrix server series, and eventually gained privileged access to domain controllers,” said Cisco in his announcement (opens in a new tab).
That’s when, according to Cisco, they were noticed and pushed out. “The threat actor was successfully removed from the environment and showed persistence repeatedly trying to regain access within weeks of the attack; however, these attempts were unsuccessful.
While the company said no serious damage was done, the attackers contacted: A hissing computer (opens in a new tab)stating otherwise, claiming to have stolen over 3,000 files, including NDAs, data snapshots, and engineering drawings. The entire database weighs 2.75 GB and was published on the extortionist’s data leak page.
Cisco downplayed the theft, claiming that the data was non-confidential and had been retrieved from the victim’s Box folder.
“Cisco did not identify any impact on our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property or supply chain operations,” it wrote.
“On August 10, bad actors released a list of files from this dark web security incident. We have also implemented additional measures to protect our systems and are sharing technical details to help protect the wider security community. “