Analysis shows attackers breached employee credentials with voice phishing and were preparing a ransomware attack against Cisco Systems.
A month after confirming its systems were breached, networking giant Cisco reported that the attack was a failed ransomware attempt conducted on behalf of the Lapsus$ group.
The cybercriminals obtained access to Cisco's systems with a social engineering attack that began with an attacker taking control of an employee's personal Google account, where credentials saved in the victim’s browser were being synchronized. Then, in a series of sophisticated voice phishing attacks, the gang convinced the victim to accept multifactor authentication (MFA) push notifications, giving crooks the ability to log in to the corporate VPN as if they were the victim.
From there, the attackers were able to compromise Cisco systems, elevate privileges, drop remote access tools, deploy Cobalt Strike and other offensive malware, and add their own backdoors into the system.
"Based upon artifacts obtained, tactics, techniques, and procedures (TTPs) identified, infrastructure used, and a thorough analysis of the backdoor utilized in this attack, we assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to both UNC2447 and Lapsus$," the Cisco Talos team explained in a Sept. 11 update on the August breach. "While we did not observe ransomware deployment in this attack, the TTPs used were consistent with 'pre-ransomware activity,' activity commonly observed leading up to the deployment of ransomware in victim environments."
About the Author(s)
You May Also Like
The fuel in the new AI race: Data
April 23, 2024Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024