Networking giant Cisco confirms a data breach in which hackers repeatedly attempted to gain access to the Silicon Valley firm’s corporate network.
Networking giant Cisco confirms a data breach in which hackers repeatedly attempted to gain access to the Silicon Valley firm’s corporate network.
“Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors," a Cisco spokesperson told BleepingComputer.
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser.
The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations.
The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user.
Once they gained a foothold on the company's corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.
"They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers," Cisco Talos said.
After gaining domain admin, they used enumeration tools like ntdsutil, adfind, and secretsdump to gather more data and installed a series of payloads onto compromised systems, including a backdoor.
Ultimately, Cisco noticed and evicted them from its environment, but they continued attempting to regain access over the subsequent weeks.
"After obtaining initial access, the threat actor conducted various activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment," Cisco Talos added.
"The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access following the attack; however, these attempts were unsuccessful."
"Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.
"On August 10 the bad actors published a list of files from this security incident on the dark web. We have also implemented additional measures to safeguard our systems and share technical details to help protect the wider security community."
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?