This Must Be Embarrassing…. Cisco Admits To Being Pwned By Hackers

This really isn’t a good look if you’re Cisco.

Cisco yesterday confirmed a ransomware group known as Yanluowang breached their network in May, resulting in the group attempting to extort Cisco under the threat of leaking stolen files. Cisco has since revealed that the attackers only harvested and stole non-sensitive data from a Box folder linked to a compromised employee’s account. I am not sure if I buy that. But that’s the information that is out there from Cisco. Speaking of information, if you want to really go into the weeds, Cisco has additional information here that’s very much worth reading.

Sharon Nachshony, Security Researcher for Silverfort had this to say:

    “The activity seen in the Cisco attack is a prime example of how an attacker can use lateral movement to progress from an initial toehold towards more high-risk internal targets.

Starting with a single set of stolen credentials the attacker was able to gain access into the Cisco VPN, pivot into the Citrix environment and eventually move to the domain controllers. Their use of PsExec in the attack was notable. Command line tools such as this are typically used by admins to remotely configure and troubleshoot – but in the hands of an attacker, and often unprotected, they have become a target of choice. This can be prevented by applying MFA to remote command tools to manage access and close down lateral movement.

More broadly, this is a sign of how lateral movement is being commoditized by initial access brokers. Focusing specifically on initial breach and accessing of target systems, they will then sell this compromised position on to other threat actors specializing in payloads and ransom activity.

Given that who Cisco is, this is pretty embarrassing. The damage to their reputation is going to be significant. Which is part of the reason why companies pay threat actors (even though they shouldn’t) as they don’t want the damage to their reputation. While I do give Cisco credit for coming clean about this, they should not be in this position in the first place. But I guess it proves that any company can be pwned.

UPDATE: I have additional commentary from two sources.

Mike Pedrick, VP, Cybersecurity Consulting at Nuspire had this to say:

“As details emerge regarding the sequence of events that lead to the breach of sensitive data from industry giant Cisco, it becomes clear that our employees are still our most vulnerable – and most often targeted – assets.  By all appearances, Cisco was doing the right things by implementing VPN technologies and leveraging multifactor authentication for access.  This is the baseline standard for prudent behavior on the part of any business and even the most paranoid of security consultants would nod their heads gently – if begrudgingly for some – in approval of the protocol.

But in this case, social engineering won out again.  After obtaining the victim’s credentials by compromising an unrelated system, attackers bombarded the victim’s mobile device with MFA Push notifications in the hopes that the victim would approve the authentication request.  Spoiler alert: they did.

If there’s a lesson to be learned from this latest breach, it’s similar to the last one and the one before that.  All organizations are at risk and attackers aren’t pulling their punches. Continue doing the right things and hope for the best but prepare for the worst and when things do go wrong, you’ll be more ready than if you assume your defenses – and people – are perfect.”

Keatron Evans, principal security research at Infosec Institute also had this to say:

“This is yet another example of no matter what controls you have in place, an end user having even a slight temporary lapse in judgement can bring the entire security palace crumbling down. From what I can deduce right now, Cisco had most of the right things in place; End user awareness training? Check.  Multi-factor Authentication? Check. Robust endpoint detection and response? Check.  But they were still compromised. This may also be one of the largest breaches involving vishing and smishing.  As users combine more of their personal lives with work lives, especially technologically, we will see more of these attacks whereas it starts with the victim’s personal credentials and then leads to compromise of their corporate credentials. 

Questions which have not been answered as of yet:

  • What type of data was taken? I ask this because 2.8 Gigabytes of internal training videos likely less significant than 2.8 Gigabytes of proprietary Cisco source code. 
  • If this happened in or before May and Cisco found out in May, why did disclosure take so long? 
  • It has been stated multiple times that the TTPs or tactics, techniques, and procedures, overlap with a couple of other threat actor groups, such as Lapsus$; As hackers/threat actors we “borrow” TTPs all the time if they’re effective. How sure is Cisco about these specific attributions and associations?
  • Although Cisco has made clear they feel they contained the threat and eradicated it, and blocked many attempts the threat actors made to get back in. Has there been any post incident threat hunting activities conducted based on the threat hypothesis that the threat actor group is still inside and moving horizontally?
  • How was Cisco alerted to the breach? 
  • Was this end-user working from home? Or in the office?  If at home, would this attack have been less successful or prevented if the user were working from the office?”

Leave a Reply