Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online.
The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee’s account.
“Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors,” a Cisco spokesperson told BleepingComputer.
“Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.
“On August 10 the bad actors published a list of files from this security incident to the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community.”
Stolen employee credentials used to breach Cisco’s network
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser.
The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations.
MFA fatigue is an attack tactic where threat actors send a constant stream of multi-factor authentication requests to annoy a target in the hopes that they will finally accept one to stop them from being generated.
The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user.
Once they gained a foothold on the company’s corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.
“They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers,” Cisco Talos said.
After gaining domain admin, they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor malware.
Ultimately, Cisco detected and evicted the attackers from its environment, but they continued trying to regain access over the following weeks.
“After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment,” Cisco Talos added.
“The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.”
To help network admins and security professionals detect the malware used in the attack, Cisco created two new ClamAV detections for the backdoor and a Windows exploit used for privilege elevation.
While Cisco provided some information on the backdoor and how it was used to remotely execute commands, their writeup does not mention any info on the exploit executable that was discovered.
However, according to detections on VirusTotal, the exploit is for CVE-2022-24521, a Windows Common Log File System Driver Elevation of Privilege vulnerability, reported by the NSA and CrowdStrike to Microsoft and patched in April 2022.
While the threat actor attempted to use this exploit to raise privileges on Cisco’s network, the company told BleepingComputer that the attempts were unsuccessful.
Hackers claim to steal data from Cisco
Last week, the threat actor behind the Cisco hack emailed BleepingComputer a directory listing of files allegedly stolen during the attack.
The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.
The threat actors also sent a redacted NDA document stolen in the attack to BleepingComputer as proof of the attack and a “hint” that they breached Cisco’s network and exfiltrated files.
Today, the extortionists announced the Cisco breach on their data leak site and published the same directory listing previously sent to BleepingComputer.
No ransomware deployed on Cisco’s systems
Cisco also said that, even though the Yanluowang gang is known for encrypting their victims’ files, it found no evidence of ransomware payloads during the attack.
“While we did not observe ransomware deployment in this attack, the TTPs used were consistent with ‘pre-ransomware activity,’ activity commonly observed leading up to the deployment of ransomware in victim environments,” Cisco Talos added in a separate blog post published on Wednesday.
“We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”
The Yanluowang gang has also claimed to have recently breached the systems of American retailer Walmart who denied the attack, telling BleepingComputer that it found no evidence of a ransomware attack.
August 14th update
Hackers say they stole Cisco source code
After publishing this story, the threat actor behind the breach told BleepingComputer that they stole source code during the cyberattack.
As proof, the hackers shared a screenshot of a VMware vCenter administrator console at a cisco.com URL. This vCenter dash shows numerous virtual machines, including one named as a GitLab server used by Cisco’s CSIRT.
However, Cisco states that they have no evidence that source code was stolen during the attack.