Cisco was hacked by the ransomware gang YanluowangSecurity Affairs


Cisco reveals security breach, Yanluowang ransomware group breached its corporate network in late May and stole internal data.

Cisco revealed a security breach, the Yanluowang ransomware group breached its corporate network in late May and stole internal data.

Investigation by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised the credentials of a Cisco employee after taking control of a personal Google account where the credentials credentials stored in the victim’s browser were synchronized.

Once the credentials were obtained, the attackers launched voice phishing attacks with the aim of tricking the victim into accepting the MFA push notification initiated by the attacker.

After obtaining an MFA push acceptance, the attacker had access to the VPN in the context of the targeted user.

“Initial access to the Cisco VPN was gained through the successful compromise of a Cisco employee’s personal Google Account. The user had enabled password synchronization through Google Chrome and stored their Cisco credentials in his browser, allowing this information to sync with his Google account, reads the analysis published by Cisco Talos.”After obtaining the user’s credentials, the attacker attempted to bypass multi-factor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply in an attempt to silence the repeated push notifications they receive.

The attacker carried out a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker eventually managed to get an MFA push acceptance, granting him access to the VPN in the context of the targeted user.

According to Talos, once the attacker gained initial access, they enrolled a series of new devices for MFA and successfully authenticated with the Cisco VPN. Next, threat actors transitioned to administrative privileges before logging into multiple systems. The attackers were able to drop several tools onto the target network, including remote access tools such as LogMeIn and TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket.

The Talos researchers added that the attackers were unable to steal sensitive data from the IT giant.

“We have confirmed that the only successful data exfiltration that occurred during the attack included the contents of a Box folder associated with a compromised employee’s account. The data obtained by the adversary in this case does not were not sensitive continues the analysis.

Cisco said the Yanluowang gang did not deploy any ransomware on its network during the attack.

The Yanluowang ransomware group is attempting to extort the company and has released a list of stolen files from the company threatening to release all stolen data if Cisco does not pay the ransom.

Cisco said the Yanluowang gang did not deploy any ransomware on its network during the attack.

“Although we did not observe any ransomware deployment in this attack, the TTPs used were consistent with ‘pre-ransomware activity’, a commonly observed activity leading to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR in previous engagements. Talos experts conclude, “Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements. In previous engagements, we did not nor have we observed any deployment of ransomware in the victims’ environments.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, Yanluowang ransomware)





Add Comment