Cisco said on Wednesday it was the target of a cyberattack in May, but said the attackers were unsuccessful in their attempts to steal sensitive information or interfere with business operations.
“On May 24, 2022, Cisco identified a security incident targeting Cisco’s enterprise IT infrastructure, and we took immediate action to contain and root out the bad actors,” the company said in online publication.
After learning of the breach, it effectively blocked attempts to access its network, Cisco said.
— CyberKnow (@Cyberknow20) August 10, 2022
An investigation into the security incident revealed that a Cisco employee’s credentials were compromised after an attacker took over a personal Google account where the credentials were stored in the victim’s browser.
The attacker used a series of sophisticated voice phishing attempts to impersonate multiple reputable companies in an attempt to convince the victim to accept targeted multi-factor authentication (MFA) notifications that the attacker launched.
Ultimately, the attacker was successful, giving them access to the VPN in the context of the target user.
After gaining a foothold in Cisco’s corporate network, the threat actors expanded laterally to Citrix servers and domain controllers. They entered the Citrix environment, compromised a number of Citrix servers and finally gained privileged access to domain controllers.
After taking control of the domain, they deployed a number of payloads to the infected devices and used enumeration tools to gather additional data.
Cisco eventually discovered the attackers and kicked them out of its environment, but they continued to try to regain access in the following weeks.
They also made repeated attempts to contact the organization’s executives via email, but made no explicit demands or threats of blackmail.
One of the emails includes a snapshot of the directory listing for previously exfiltrated Box data. BleepingComputer say executives also received directory listing of the data the threat actors allegedly took during the attack and allegedly stole approximately 3,100 files totaling 2.75 GB.
On August 10, the extortionists disclosed the Cisco breach on their data leakage website, posting a list of the files they claimed to have stolen from Cisco’s systems.
However, Cisco says the stolen data was non-sensitive information from a Box account associated with a compromised employee.
According to Cisco, the attack did not appear to involve ransomware payloads. The company also said there was no evidence that this event had any impact on its business, including products or services, intellectual property, sensitive customer or employee data, or supply chain operations.
Cisco said it has moderate to high confidence that the initial attack was carried out by an actor previously identified as an Initial Access Broker (IAB) with links to the Lapsus$ threat group, Yanluowang ransomware operators and the gang UNC2447.
In addition to a number of other responses to the attacks, the company said it has contacted law enforcement and is reviewing cyber training for its employees.
“Given the actor’s demonstrated ability to use a wide range of techniques to gain initial access, user education is also a key part of countering MFA bypass techniques,” Cisco said.
“Equally important to implementing MFA is ensuring that employees are trained on what to do and how to respond if they receive misdirected requests on their respective phones.”