Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online.
The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee’s account.
“Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors,” a Cisco spokesperson told BleepingComputer.
“On August 10 the bad actors published a list of files from this security incident on the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community.”
Stolen employee credentials used to breach Cisco’s network
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser.
The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations.
The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user.
Once they gained a foothold on the company’s corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.
“They moved into the Citrix environment, compromising a series of Citrix servers, and eventually obtained privileged access to domain controllers,” Cisco Talos said.
After gaining domain admin, they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor.
Ultimately, Cisco detected and evicted them from its environment, but they continued trying to regain access over the following weeks.
“After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment,” Cisco Talos added.
“The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.”
Hackers claim to steal data from Cisco
Last week, the threat actor behind the Cisco hack emailed BleepingComputer a directory listing of files allegedly stolen during the attack.
The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.
The threat actors also sent a redacted NDA document stolen in the attack to BleepingComputer as proof of the attack and a “hint” that they breached Cisco’s network and exfiltrated files.
Today, the extortionists announced the Cisco breach on their data leak site and published the same directory listing previously sent to BleepingComputer.
No ransomware was deployed on Cisco’s systems
Cisco also said that, even though the Yanluowang gang is known for encrypting their victims’ files, it found no evidence of ransomware payloads during the attack.
“While we did not observe ransomware deployment in this attack, the TTP used were consistent with ‘pre-ransomware activity,’ activity commonly observed leading up to the deployment of ransomware in victim environments,” Cisco Talos added in a separate blog post published on Wednesday.
“We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”
The Yanluowang gang has also claimed to have recently breached the systems of American retailer Walmart which denied the attack, telling BleepingComputer that it found no evidence of a ransomware attack.