The leading manufacturer of networking equipment, Cisco, acknowledged on Wednesday that it had been the target of a cyberattack on May 24, 2022. The attackers had gained access to a worker’s personal Google account, which contained passwords synchronized from their online browser. The successful penetration of a Cisco employee’s personal Google account allowed for initial access to the Cisco VPN, according to a thorough report by Cisco Talos. The user had kept their Cisco credentials in their browser and activated Google Chrome’s password synchronization feature, allowing that information to synchronize with their Google account.
The information was released on August 10, the same day that cybercriminals connected to the Yanluowang ransomware gang posted a list of the files from the hack to their data dump website. According to Talos, the material that was stolen included the contents of a Box cloud storage folder linked to the account of the employee who was the target of the attack. Talos does not believe that any sensitive information was contained in this folder. Along with the theft of credentials, there was also a phishing component, in which the attacker used techniques like vishing (also known as voice phishing) and multi-factor authentication (MFA) fatigue to deceive the victim into granting access to the VPN client.
Threat actors deploy a tactic known as “prompt bombing,” in which they bombard a user’s login app with push alerts in the hopes that they will give up and allow an attacker to access the account without authorization.
According to Talos, “the attacker ultimately achieved an MFA push acceptance, enabling them access to the VPN in the context of the targeted user.” After gaining a foothold in the system, the attacker advanced to administrative rights, allowing them broad access to several systems, which was noticed by Cisco’s security teams.
The threat actor, which it identified as an initial access broker (IAB) connected to the UNC2447 cybercrime gang, the LAPSUS$ threat actor group, and the Yanluowang ransomware operators, also took action to establish their backdoor accounts and persistence methods.
In April 2021, it was discovered that UNC2447, a member of the “aggressive” Russia-nexus actor group, had used a SonicWall VPN vulnerability that was still a zero-day attack vector to spread the FIVE HANDS ransomware. Since August 2021, the ransomware strain Yanluowang, named after a Chinese god, has been employed against businesses in the United States, Brazil, and Turkey. Kaspersky was able to decrypt the malware in early April thanks to a vulnerability in its encryption method, and it provided a free decryptor to aid victims.
Additionally, the actor is alleged to have used some tools, including remote access programs like LogMeIn, TeamViewer and offensive security tools like Cobalt Strike, PowerSploit, Mimikatz, and Impacket, designed to give them more access to networked devices.
According to the report, after gaining access to the VPN, the attacker started to use the compromised user account to log in to a significant number of computers before starting to pivot further into the environment. They inserted themselves into the Citrix system, compromised several Citrix servers, and eventually gained access to domain controllers.
The threat actors were then seen staging the toolkit in directory locations under the Public user profile on compromised machines, as well as moving files across systems inside the environment using the host-based firewall setups and Citrix and Remote Desktop Protocol (RDP). Nevertheless, no ransomware was used. “While we did not see any ransomware being deployed in this assault, the TTPs employed were consistent with” pre-ransomware activity, “the business claimed.
This behaviour is frequently seen before the implementation of ransomware in victim systems. Cisco added that the attackers attempted at least three times to establish email conversations with the firm leaders after being kicked off, pleading with them to pay so that no one would know about the incident and information breach.
The email also sent a screenshot of the exfiltrated Box folder’s directory listing. The San Jose-based company emphasized that the incident had no effect on its business operations and did not lead to unauthorized access to sensitive customer data, employee information, or intellectual property. It added that it had successfully blocked attempts to access its network since then. However, it did start a company-wide password reset.