Unknown persons penetrate the company’s network. Beforehand, they hacked the Google account of a Cisco employee and obtained VPN access data. The ransomware group Yanluowang claims responsibility for the attack.
Cisco has confirmed a security incident in which the company’s network may have been compromised. According to the report, the unknown perpetrators managed to steal the login data of an employee and also bypass the multi-factor authentication. With the login data, the hackers finally obtained VPN access.
Cisco discovered the intrusion on 24 May. According to the company, the in-house Security Incident Response Team as well as Cisco Talos have since been busy with the defence and analysis of the attack.
In the process, Cisco discovered that the attackers first hacked into the employee’s personal Google account and then accessed the access data for the corporate VPN stored in the employee’s browser.
Attack has no impact on Cisco’s business
According to Cisco, however, the access was protected by multi-factor authentication. However, via voice phishing, the cybercriminals managed to get the victim to accept push notifications triggered by the attacker, which ultimately allowed them access to the corporate network.
The attackers used the access to cover their tracks and gain higher privileges than the employee they hacked. However, according to Cisco, the attackers were successfully banned from the network. Subsequent attempts to penetrate the network again were successfully prevented.
Cisco assumes that the attacker is a so-called initial access broker, who creates access to corporate networks and then sells them to other cybercriminals. The broker in question is said to have links to a cybercrime gang called UNC2447, the hacking group Lapsus$ and those behind the Yanluowang ransomware.
“Cisco did not identify any impact of this incident on its business, including any impact on Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property or supply chain,” the company said. “On August 10, the attackers published a list of files from this security incident on the dark web.”
As BleepingComputer reports, the Yanluowang group claimed responsibility for the intrusion. According to the report, it claims to have stolen 2.75 GBytes of data spread over some 3100 files. Most of the files are said to be non-disclosure agreements and technical drawings. According to Cisco Talos, however, no files were encrypted in the Cisco network.