Ransomware gang gained access to the company's VPN in May by convincing an employee to accept a multifactor authentication (MFA) push notification.

4 Min Read
Source: Stockphoto-graf via Alamy Stock Photo

Cisco has confirmed a breach of its network, where the attacker used voice phishing to convince an employee to accept a malicious multifactor authentication (MFA) push. The breach resulted in cyberattackers gaining access to the company's virtual private network (VPN) and the theft of an unspecified number of files from its network, the company stated on Aug. 10.

The attacker compromised a Cisco employee's personal Google account, which gave them access to the worker's business credentials through the synchronized password store in Google Chrome. To bypass the MFA protecting access to Cisco's corporate VPN, the attacker attempted voice phishing, or vishing, and repeatedly pushed MFA authentication requests to the employee's phone. Eventually, the worker either inadvertently, or through alert fatigue, accepted the push request, giving the attacker access to Cisco's network.

Cisco acknowledged the incident in a brief press statement, maintaining that the company discovered the breach on May 24 but "did not identify any impact to our business as a result of the incident."

"[W]e took immediate action to contain and eradicate the bad actors, remediate the impact of the incident, and further harden our IT environment," a company spokesman said in the statement sent to Dark Reading. "No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco's network since discovering the incident."

Breaches of technology companies have become commonplace, often as part of supply chain attacks. In one of the original supply chain attacks, in 2011, two state-sponsored groups linked to China compromised security vendor RSA to steal critical data underpinning the security of the company's SecurID tokens. In the most significant modern attack, the Russia-linked Nobelium group — which is Microsoft's designation — compromised SolarWinds and used a compromised update to compromise the company's clients.

The attack on Cisco likely had multiple goals, Ilia Kolochenko, founder of cybersecurity startup ImmuniWeb, said in a statement sent to Dark Reading.

"Vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply chain attacks," he said, adding that "vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counterintelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids."

While some security experts characterized the attack as "sophisticated," Cisco pointed out that it was a social-engineering play.

"The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user," the Cisco Talos team stated in an analysis of the attack. "Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN."

With access established, the attacker then tried to move through the network by escalating privileges and logging into multiple systems. The threat actor installed several tools, such as remote access software LogMeIn and TeamViewer, as well as offensive security tools, such as Cobalt Strike and Mimikatz, both in wide use by attackers.

In addition, the attacker had extensive access to Cisco's network, using the compromised account to access "a large number of systems" and compromised several Citrix servers to get privileged access to domain controllers, according to the Cisco Talos analysis. The attacker used already existing remote desktop protocol (RDP) accounts to access systems, removing firewall rules to prevent them from blocking access.

While Cisco maintains that the attackers did not impact its products, services, or sensitive customer or employee data, the company did acknowledge that on Aug. 10, the threat actors published a list of files stolen from the network during the incident. While the attackers demanded a ransom, according to one press report, Cisco stated that the attackers did not deploy ransomware. The threat actor did install a number of offensive tools and payload to a variety of systems on Cisco's network.

Cisco believes the threat actor is an initial access broker — an adversary that gains unauthorized access to corporate networks and then sells that access as a service on the Dark Web. The threat actor appears to have "ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators," Cisco's Talos group stated.

The threat actor, or its affiliates, spoke in English with various international accents and dialects, and claimed to be part of a support organization known to the worker, the targeted employee told Cisco, according to the Talos analysis.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights