Cisco has confirmed that your network suffered a cyberattack last May. As the company has acknowledged in a note, it discovered a security incident that affected its corporate technological infrastructure on May 24, and although as a result of the attack several internal company files were compromised, and the attackers published various company information , Cisco claims that it did not find ransomware on its systems.
The company has also assured that it has managed to block other attempts to access its networks apart from this security breach, and that it has taken measures to reinforce its defenses to avoid incidents of this type in the future, in addition to sharing technical details to help protect the security-related community. Those responsible have also indicated that they have not «No business impact identified as a result of this incident to Cisco products and services, sensitive customer data, or sensitive information about employees, intellectual property, or supply chain operations«.
According to Cisco Talosthe company’s threat intelligence division, the attack occurred when an employee’s credentials were compromised after an attacker took control of a personal Google account in which the individual’s credentials were stored, and also synchronized.
Apart from the attacker’s security breach, he used voice phishing attacks, in which he appeared to be from trusted organizations, to convince users to accept fraudulent multi-step authentication notifications. He eventually succeeded in sending these notifications, allowing him to gain access to a VPN used exclusively by Cisco employees.
The fraudulent access appears to be the work of an initial access broker with ties to UNC2447 cybercriminal group, Lapsus$ group, and Yanluowang ransomware operators. These types of attackers are responsible for opening security holes in organizations, and then sell access to ransomware groups and other cybercriminals.
The UNC2447 group, specialized in ransomware, threatens to publish any data it obtains that compromises those attacked. It is also responsible for selling the information in forums and hackers, unless those affected pay the ransom that they are asked for. The Lapsus$ group has been attacking high-level targets in recent months using social engineering techniques. As for the Yanluowang group, they leak the data they get and launch denial-of-service attacks on their target until the target pays a fee to stop them.
