Cisco recently disclosed a breach in which an employee was tricked into accepting a malicious multifactor authentication (MFA) message via voice phishing. The breach resulted to hackers getting access to the virtual private network (VPN) of the organisation and the stealing of an unknown quantity of information from its network.
The hacker gained access to the company credentials of the Cisco employee using the encrypted password storage in Google Chrome after taking over the employee’s personal Google account.
The attacker tried vishing (voice phishing), repeatedly pushing MFA authentication requests to the employee’s phone, and other methods to get around the MFA blocking access to Cisco’s corporate VPN. At some point, the worker either unintentionally or because of alert fatigue accepted the push request, allowing the attacker access to Cisco’s community.
Cisco was informed of a possible threat for the first time on May 24 according to the confirmation, which was made public via a Talos blog post. Following more investigation by the Cisco Security Incident Response (CSIRT) team, the possible compromise was found to be a network vulnerability.
In a press statement, Cisco said:
“As soon as the attack happened, we mitigated its effects, isolate and eliminate the malicious actors, and further protect our IT system. Since Cisco learned of the issue, no ransomware has been seen or used, and Cisco has successfully stopped threats to penetrate Cisco’s network.”
Who is responsible for the Cisco attack?
A security provider named RSA was attacked in 2011 by two state-sponsored groups with links to China to obtain important data. The data served as the foundation for the SecureID tokens provided by the company.
In the biggest modern attack, the Microsoft-designated Nobelium organisation, which has ties to Russia, compromised SolarWinds and used a tainted update to infect the firm’s clients.
According to Cisco, the first entry point was a spear phishing attack on a worker’s personal Google account, which ultimately resulted in the compromise of the employee’s login information and access to the Cisco VPN.
The threat actor has been identified as a first access broker with connections to the Yanluowang ransomware ring and the Russian organisation UNC2447. After considerable effort over the subsequent weeks, the gang was expelled from the network and was not allowed to re-enter.
The tactics, methods, and procedures (TTPs) also revealed significant similarities to the Lapsus$ group, a substantial portion of which had been arrested earlier in the year.
According to Cisco:
“Vendors often have access to consumers in the government and business sectors, giving them the ability to help supply chain attacks that are effective and undetectable. Vendors frequently have useful information about cyberthreat. The goal of counterintelligence activities by the bad guys is to learn more about where law enforcement and private suppliers stand in their investigations and future police raids.”
According to the Cisco Talos study, the attacker also had extensive access to the Cisco community, using the compromised account to access “a significant number of computers” and several Citrix servers to get privileged access to area controllers. In order to access methods, the attacker exploited already-existing remote desktop protocol (RDP) accounts, removing firewall rules to prevent them from denying access.
Cisco thinks the threat actor is an initial access broker, or an adversary who gets illegal access to corporate networks and then offers that access for sale as a service on the Dark Web.
According to the Talos investigation, the targeted employee notified Cisco that the threat actor or its affiliates spoke English with a variety of regional native tongues and claimed to be a part of a support group that the worker was familiar with.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.