Wednesday, September 28, 2022
Home Tech News Cisco admits data posted by ransomware gang came from its systems

Cisco admits data posted by ransomware gang came from its systems

Cisco Systems has admitted that data posted on Sunday by the Yanluowang ransomware gang was stolen from the networking giant in a cyberattack earlier this year.

In an updated blog post yesterday, Cisco’s Talos threat intelligence team said that the contents of files posted by the gang on its data leak site matched data from the list of file names Yanluowang had earlier published claiming to be from the company.

Nevertheless, Cisco maintains no sensitive customer, employee, or corporate data was copied.

“Our previous analysis of this incident remains unchanged,” the blog says. “We continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

Cisco acknowledged in August that on May 24th it realized there had been a “potential compromise.” A company employee’s credentials had been compromised after an attacker gained control of their personal Google account where credentials saved in the victim’s browser were being synchronized. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account.

The attacker then ran a series of sophisticated voice phishing attacks under the guise of various trusted organizations, attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker, Cisco said. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted the Cisco Security Incident Response Team (CSIRT).

The threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment before being ejected from the system. That activity included the use of remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and the addition of the gang’s own backdoor accounts and persistence mechanisms

The Bleeping Computer news service said Yanluowang’s leader told it thousands of Cisco files including classified documents, technical schematics, and source code were stolen. When the news site asked for comment, Cisco denied the possibility that the intruders had exfiltrated or accessed any source code.

- Advertisment -

Most Popular

Former Calgary Dino now a rookie with NFL’s Los Angeles Chargers

Canadian Deane Leonard has certainly taken the path less travelled to the NFL’s Los Angeles Chargers. The 22-year-old cornerback is in his rookie season with...

‘Impact success!’ Nasa spacecraft smashes asteroid in first ever ‘planetary defence test’

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video Nasa has successfully crashed a spacecraft into a small asteroid...

TikTok could face £27m fine for failing to protect children’s privacy

TikTok could face £27m fine for failing to protect children’s privacyInvestigation finds video-sharing app may have breached UK data protection law between 2018 and...

Eight states sue crypto lender Nexo over security sales and misleading marketing

/ New York’s attorney general alleges that the company’s Earn Interest Product was a security, one that the company wasn’t registered to sell,...