The company is now releasing .

The network supplier Cisco has become the victim of a network intrusion. The company provides insight into the attack by releasing the investigation results. However, the cybercriminals did not steal any sensitive data.

search for clues

According to the analysis, Cisco noticed a breach in late May this year and deployed its own security departments, CSIRT and Talos, to contain and investigate the attack. It turned out that the attackers had gained access to an employee’s personal Google . Password synchronization was active in the Google account, so access to Cisco systems was also within reach.

The attackers attempted to trick the victim into confirming multi-factor authentication (MFA) requests via phone calls and SMS. Among other things, they triggered numerous SMS to get the employee to either confirm by mistake or simply to have peace again. At some point, a request was actually confirmed and access to Cisco’s VPN was released.

This gave the attackers initial access. They then took immediate action to infiltrate the network and investigate further. Among other things, they have enabled access for other devices using MFA. They have escalated their administrator privileges, allowing them to log on to more systems. At this point, the Cisco Security Incident Response Team (CSIRT) was alerted.

Attackers install numerous tools

The IT forensic scientists found a lot of tools used by the attackers. At the time, the intruders already had remote access software such as LogMeIn or TeamViewer installed. Also “security tools” like Cobalt Strike, PowerSploit, Mimikatz and Impacket. Furthermore, they have set up backdoor accounts with administrator rights and persistence mechanisms for permanent nesting.

During the attack, Cisco’s IT security experts observed several attempts to smuggle out information about the environment. All that could be found was evidence that the only successful data leak involved contents of a Box folder – a cloud storage service. The folder was associated with the victim’s account and their Active Directory credentials. The company assures that there was no sensitive information in it.

After fending off the attack and taking countermeasures, the IT experts observed further access attempts for a few weeks, with which the cybercriminals tried to gain access to the network again. Above all, they rely on weak passwords after mandatory password changes, in which employees only exchange about one character at the end. At first, the attackers relied on anonymization services such as Tor, only to later switch to compromised access in the USA.

International association

The cybercriminals contacted Cisco managers, some with screenshots of the Box folder contents. However, the emails did not contain any concrete demands for money or threats.

The IT forensic scientists come to the conclusion that there is a high probability that a cyber gang is behind the attacks, working as a so-called Initial Access Broker (IAB). This sells access to other cybergangs and in this case has connections to the Lapsus$ gang and the group UNC2447, which in turn has ties to Russia. Although no ransomware attack took place, Cisco found earlier connections between the attackers and the ransomware gang Yanluowang.

According to the company, the burglars could not have access to critical systems such as development systems or those for signing code. In the detailed analysis, Cisco also describes Indicators of Compromise (IoCs), classification of the attack techniques according to Miter Att&ck Mapping, observed IP addresses of the attackers and registered domains, for example for phishing attacks on employees.

