Cisco was compromised by Lapsus$, UNC2447, and the Yanluowang ransomware gang.
Talos says an attacker obtained control of a Cisco employee’s personal Google account where browser credentials were synchronised.
So After the initial intrusion, Talos states the attackers employed voice-based phishing, or “vishing” to “convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker”
More From Us:This ‘Invisible Finger’ Can Control Touchscreens
Talos calls the hackers’ operations “pre-ransomware activity.” Therefore, they accessed Cisco’s VPN, escalated privileges on compromised devices, and established persistence via several remote desktop services.
Before deploying ransomware, attackers were removed from Cisco’s network. Talos said they tried many times to recover access to the infected systems, but failed.
But they weren’t empty-handed. Talos said they stole “a non-sensitive Box folder from a compromised employee’s account.” (They grabbed Active Directory “employee authentication data”)
Bleeping Computer alleges that attackers took 3,100 files from a compromised Box folder, including NDAs, data dumps, and engineering drawings. However, Hackers stole 2.75GB of data.
Cisco Security said the breach had no impact on Cisco goods or services, customer or employee data, intellectual property, or supply chain operations.
The Talos blog article includes the attacker’s strategies, techniques, and procedures as well as indicators of compromise (Opens in a new window).