Archive for August 11, 2022

This Must Be Embarrassing…. Cisco Admits To Being Pwned By Hackers

Posted in Commentary with tags on August 11, 2022 by itnerd

This really isn’t a good look if you’re Cisco.

Cisco yesterday confirmed a ransomware group known as Yanluowang breached their network in May, resulting in the group attempting to extort Cisco under the threat of leaking stolen files. Cisco has since revealed that the attackers only harvested and stole non-sensitive data from a Box folder linked to a compromised employee’s account. I am not sure if I buy that. But that’s the information that is out there from Cisco. Speaking of information, if you want to really go into the weeds, Cisco has additional information here that’s very much worth reading.

Sharon Nachshony, Security Researcher for Silverfort had this to say:

    “The activity seen in the Cisco attack is a prime example of how an attacker can use lateral movement to progress from an initial toehold towards more high-risk internal targets.

Starting with a single set of stolen credentials the attacker was able to gain access into the Cisco VPN, pivot into the Citrix environment and eventually move to the domain controllers. Their use of PsExec in the attack was notable. Command line tools such as this are typically used by admins to remotely configure and troubleshoot – but in the hands of an attacker, and often unprotected, they have become a target of choice. This can be prevented by applying MFA to remote command tools to manage access and close down lateral movement.

More broadly, this is a sign of how lateral movement is being commoditized by initial access brokers. Focusing specifically on initial breach and accessing of target systems, they will then sell this compromised position on to other threat actors specializing in payloads and ransom activity.

Given that who Cisco is, this is pretty embarrassing. The damage to their reputation is going to be significant. Which is part of the reason why companies pay threat actors (even though they shouldn’t) as they don’t want the damage to their reputation. While I do give Cisco credit for coming clean about this, they should not be in this position in the first place. But I guess it proves that any company can be pwned.

UPDATE: I have additional commentary from two sources.

Mike Pedrick, VP, Cybersecurity Consulting at Nuspire had this to say:

“As details emerge regarding the sequence of events that lead to the breach of sensitive data from industry giant Cisco, it becomes clear that our employees are still our most vulnerable – and most often targeted – assets.  By all appearances, Cisco was doing the right things by implementing VPN technologies and leveraging multifactor authentication for access.  This is the baseline standard for prudent behavior on the part of any business and even the most paranoid of security consultants would nod their heads gently – if begrudgingly for some – in approval of the protocol.

But in this case, social engineering won out again.  After obtaining the victim’s credentials by compromising an unrelated system, attackers bombarded the victim’s mobile device with MFA Push notifications in the hopes that the victim would approve the authentication request.  Spoiler alert: they did.

If there’s a lesson to be learned from this latest breach, it’s similar to the last one and the one before that.  All organizations are at risk and attackers aren’t pulling their punches. Continue doing the right things and hope for the best but prepare for the worst and when things do go wrong, you’ll be more ready than if you assume your defenses – and people – are perfect.”

Keatron Evans, principal security research at Infosec Institute also had this to say:

“This is yet another example of no matter what controls you have in place, an end user having even a slight temporary lapse in judgement can bring the entire security palace crumbling down. From what I can deduce right now, Cisco had most of the right things in place; End user awareness training? Check.  Multi-factor Authentication? Check. Robust endpoint detection and response? Check.  But they were still compromised. This may also be one of the largest breaches involving vishing and smishing.  As users combine more of their personal lives with work lives, especially technologically, we will see more of these attacks whereas it starts with the victim’s personal credentials and then leads to compromise of their corporate credentials. 

Questions which have not been answered as of yet:

  • What type of data was taken? I ask this because 2.8 Gigabytes of internal training videos likely less significant than 2.8 Gigabytes of proprietary Cisco source code. 
  • If this happened in or before May and Cisco found out in May, why did disclosure take so long? 
  • It has been stated multiple times that the TTPs or tactics, techniques, and procedures, overlap with a couple of other threat actor groups, such as Lapsus$; As hackers/threat actors we “borrow” TTPs all the time if they’re effective. How sure is Cisco about these specific attributions and associations?
  • Although Cisco has made clear they feel they contained the threat and eradicated it, and blocked many attempts the threat actors made to get back in. Has there been any post incident threat hunting activities conducted based on the threat hypothesis that the threat actor group is still inside and moving horizontally?
  • How was Cisco alerted to the breach? 
  • Was this end-user working from home? Or in the office?  If at home, would this attack have been less successful or prevented if the user were working from the office?”

Virgin Plus Now Offers Certified Pre-Loved Mobile Phones

Posted in Commentary with tags on August 11, 2022 by itnerd

Virgin Plus Members now have more options than ever when choosing a mobile phone, whether upgrading, replacing or getting for the first time. Available online only, Members can select from a variety of certified pre-loved mobile phones, in addition to brand-new devices already available. 

For many Members, their mobile phone is indispensable in their daily lives and how they consume most of their content, so it’s important they select the right one for them. Virgin Plus pre-loved mobile phones come with many features in “like new” and “gently used” conditions. These devices offer Members a planet and budget friendly option by extending the lifespan of smartphones and keeping them out of landfills, while getting a premium mobile phone for less than Virgin Plus’ market price.

Virgin Plus is providing Members with more device options so they can get what they want and spend more time doing what they love. Features for pre-loved mobile phones include:

  • Members can choose from some of Virgin Plus’ most popular mobile phones, now offered in “like new” and “gently used” conditions.
  • All mobile phones are backed by a 1-Year Virgin Plus warranty. In addition, these devices are subject to standard return policy.
  • Members have the option to purchase their pre-loved mobile phones outright or with a 2-year Sweet Pay™ installment plan.
  • Available for new and existing Members, and sold online only.

For more details on Virgin Plus’ certified pre-loved mobile phones, please visit

There’s A Lot Of News Coming Out Of TELUS…. And I Do Mean A Lot

Posted in Commentary with tags on August 11, 2022 by itnerd

The announcements from TELUS continue to roll in. Today alone there are five announcements coming out of the Canadian Telco. Let’s start with the biggest one (in my opinion). TELUS is Canada’s most awarded network by Opensignal for the 11th consecutive time. TELUS has been named Canada’s best network for consistent mobile network quality, taking home six Mobile Network Experience Awards and three 5G Experience Awards which highlights the sort of investments that TELUS is making on their network.

And when it comes to investing in their network, that’s where the other four announcements come in:

That’s a lot of money that TELUS is spending. But seeing as they’re consistently winning awards for their network, it’s clearly money well spent.

You Can Now Use A Contactless Payment Method To Pay For GO Transit, Brampton Transit, MiWay, & Oakville Transit

Posted in Commentary with tags on August 11, 2022 by itnerd

There was news from Metrolinx which runs public transit in Greater Toronto and Hamilton area that you can use a contactless payment method to pay for transit. Meaning a debit or credit card, or Apple Pay, Google Pay. Now this is only supported at this point on GO Transit, Brampton Transit, MiWay, & Oakville Transit. But support for more transit systems is promised. This adds to support that is already in place for the UP Express which is Toronto’s express train from Person Airport to downtown.

You can find out more about this announcement here. But I for one will not be using this. Not only do I already have a Presto Card which makes this announcement irrelevant to me, Metrolinx has a pretty craptastic history of rolling this stuff out as evidenced here. What I would like to see Metrolinx do is roll out support for having your Presto card in your Apple Wallet for example as that would likely be more appealing to many. But seeing as this is a feature that has been desired by many for years and Metrolinx seems not to be interested in doing it, I am not going to hold my breath for that.

Best Buy Spoofed as Hackers Use Google Storage To Launch Email Phishing Campaign: Avanan

Posted in Commentary with tags on August 11, 2022 by itnerd

Avanan, A Check Point Company, released this week’s Attack Brief: Best Buy Spoof Uses Google Storage to Launch Phishing Attack in which hackers are spoofing Best Buy, yet another popularly impersonated brand. 

The most interesting piece about this attack is that the threat actors use Google Storage to host websites, which enable the hackers to deploy the phishing campaign and enable them to gain access into the victim’s email inboxes. 

You can find the report here: Given that I have come across other Best Buy scams in the past, this attack brief is worth reading so that you don’t become a victim.