Network giant Cisco was the victim of a cyber attack in May. In one Notice posted on WednesdayThe company announced that it discovered a security incident targeting the company’s IT infrastructure on May 24. Although some files were compromised and published, Cisco said knows no ransomware was found, that it has managed to block additional attempts from accessing its network beyond the initial breach, and that it has beefed up its defenses to prevent such incidents from continuing happen.
“Cisco is not aware of any impact on our business as a result of this incident, including Cisco products or services, sensitive customer data, or sensitive employee information. emotions, intellectual property or supply chain operations,” the company said in its announcement. “We have also implemented additional measures to strengthen the security of our systems and are sharing technical details to help protect the broader security community.”
What happened during the attack?
Image: Cisco Talos
One Additional notice published by Cisco Talos, the company’s threat intelligence arm, has revealed more details about the attack. Upon investigation, Cisco Talos discovered that an employee’s login information was compromised after an attacker took control of a personal Google account in which that individual’s login information was stored. and synchronization.
After that initial breach, the attacker used Voice phishing attack in which they impersonated trusted organizations to convince users to accept fraudulent multi-factor authentication messages. The other things MFA the last message has proven to be successful, thus giving the attacker access to VPN used by staff.
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
Who is responsible for the attack on the Cisco network?
Pointing to potential perpetrators, Cisco Talos said that the attack could have been carried out by someone identified as the initial access broker with ties to the UNC2447 cybercrime, the Lapsus$ and Yanluowang ransomware operators. Initial access brokers often breach institutions and then sell access to ransomware gangs and other cybercriminals.
Specializing in ransomware, Gang UNC2447 threatens to publish any data it infringes or sell information on hacker forums unless a ransom is paid. Relatively new to the world of cybercrime, Lapsus $ team uses social engineering tactics, such as MFA requests, to trick its victims. Named after the Chinese god who judges the souls of the dead, Yanluowang Ransomware attackers vow to openly leak stolen data and launch DDoS attacks unless a ransom payment is made.
“This was a sophisticated attack against a high-profile target by experienced hackers that required a lot of persistence and coordination,” said Paul Bischoff, privacy advocate at Comparitech. “It was a multi-stage attack that required compromising user credentials, tricking other employees into obtaining MFA codes, going through CISCO’s corporate network, taking steps to maintain access. and hide tracks and steal data. Cisco said the attack was most likely carried out by an initial access broker, or IAB. Although some data was retrieved, the main role of the IAB was to sell other hackers access to private networks, who could later carry out further attacks such as data theft. data, supply chain attacks on Cisco software and ransomware. “
One tweet posted by threat intelligence provider Cyberknow includes a screenshot of the leaked website of the Yanluowang ransomware group showing Cisco as its latest victim. The Cisco Talos message shows a screenshot of an email Cisco received from the attackers. Threatening Cisco that “no one will know about the incident and the leak if you pay us,” the email shows a folder containing some of the files breached in the attack.
Why are security companies being targeted?
Cybersecurity and technology vendors are increasingly becoming targets of cybercriminals. And attacks are underway for a number of reasons, according to ImmuniWeb Founder and Cyber Security Expert Ilia Kolochenko.
“First, vendors often have privileged access to their corporate and government customers and thus can open the door to invisible and super-effective supply chain attacks, ‘ said Kolochenko. “Second, vendors often have invaluable cyber threat intelligence.”
In search of useful threat intelligence, Kolochenko explained, attackers conduct surveillance to determine the status of investigations by private providers and police raids by the agency. law enforcement.
“Third, some vendors are very attractive targets because they have the latest DFIR (Digital Forensics and Incident Response) tools and techniques used for intrusion detection and cybercrime detection, while some other vendors can exploit zero-day vulnerabilities or even the source code of sophisticated spyware, the latter can be used against new victims or sold on Dark Web,” added Kolochenko.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
How security professionals can protect their companies from similar attacks
In addition to describing the attack and Cisco’s response, the Talos team provided tips for other organizations on how to combat these types of attacks.
Educate your users
Many attackers like to use social engineering tricks to compromise an organization. Educating users is an important step in combating such efforts. Make sure your staff knows the legal methods the support staff will use to contact them. With the abuse of MFA notifications, also ensure that employees know how to respond if they receive an unusual request on their phone. They should know who to contact to help determine if the request is a technical glitch or something malicious.
Verify employee’s device
Apply robust device verification by establishing tight controls on device health and ensuring that enrollment and access from unmanaged or unknown devices are limited or blocked. Implement risk detection to identify unusual events such as a new device being used from an impractical location.
Enforce security requirements for VPN access
Before allowing VPN access from remote endpoints, use Posture check to ensure that connecting devices match your security requirements and that rogue devices that have not been previously approved are prevented from connecting.
Segment your network
Network segmentation is another important security method as it can better protect critical assets and help you better detect and respond to suspicious activity.
Use centralized diary
By relying on centralized logs, you can better determine whether an attacker is trying to delete any logs from your system. Ensure that log data from endpoints is centrally collected and analyzed for suspicious behavior.
Switch to offline backup
In many incidents, attackers have targeted backup infrastructure to prevent an organization from recovering compromised files during an attack. To fix this, make sure your backups are stored offline, and regularly test restore to make sure you can recover from an attack.
