Damien Black Senior Journalist Updated on: 11 August 2022
Image by Shutterstock
Cisco has confirmed that it was hacked earlier this year, in a breach that reportedly saw it stripped of 2.75GB of data.
The admission marks the latest stage in what appears to be a general escalation in the wider cyberwar, with cybersecurity companies increasingly targeted themselves by threat actors.
According to the company’s own testimonial, threat actors published a list of data they stole from Cisco on the dark web on August 10, prompting it to respond with an admission that it had been breached back in May.
Though Cisco sought to play down the attack, claiming that nothing of real value was taken, the revelation confirms that it has joined Twilio and Crowdflare, who were both breached by the very cybercriminals they seek to defend against.
“We took immediate action to contain and eradicate the bad actors,” said Cisco. “We have taken steps to remediate the impact of the incident and further harden our IT environment. No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident.”
The cybersecurity firm claims that none of its products, services, sensitive customer or employee data, intellectual property, or supply chain operations have been affected by the attack.
Cisco affiliate organization Talos Intelligence believes the attack was the work of “an adversary previously identified as an initial-access broker with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”
Talos further believes the cybersecurity company’s defenses were breached “via the successful compromise of a Cisco employee’s personal Google account.”
“The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account,” said Talos. “After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing and MFA fatigue.”
The latter term refers to a technique whereby a threat actor seeks to overwhelm a target by sending repeated push requests to its device “until the user accepts, either accidentally, or simply to silence the repeated push notifications they are receiving.”
“Once the attacker obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN,” said Talos.
This allowed the cyber-attackers to escalate their access privileges and infiltrate multiple systems operated by Cisco. At this point the company’s incident response team was alerted to the attack, which Talos said involved “remote access tools LogMeIn and TeamViewer [and] offensive security tools Cobalt Strike, PowerSploit, Mimikatz, and Impacket.”
Cisco on high alert
Citing BleepingComputer, Black Hat Ethical Hacking group said the threat actors behind the cyberattack “claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files,” which it said were mostly “non-disclosure agreements, data dumps, and engineering drawings.”
Cisco said it hopes to use the incident as “an opportunity to learn, strengthen our resilience, and help the wider security community.”
It claims to have updated its cybersecurity products with “intelligence gained from observing the bad actor’s techniques,” and has notified the authorities of the breach.