Network giant Cisco was the victim of a cyber attack in May. In a message posted on wednesdaythe company announced it had discovered a security incident on May 24 targeting its company’s IT infrastructure. Although some files were compromised and published, Cisco said no ransomware was found, it managed to make additional attempts to access its network outside of the initial breach, and strengthened its defenses to prevent further such incidents. .
“Cisco has determined no impact on our business as a result of this incident, including Cisco products or services, sensitive customer or employee sensitive information, intellectual property or supply chain activities,” the company said in its statement. “We have also implemented additional measures to improve the security of our systems and are sharing technical details to help protect the wider security community.”
What happened during the attack?
Image: Cisco Talos
A additional notice published by Cisco Talos, the company’s threat intelligence division, has revealed more details about the attack. During its investigation, Cisco Talos discovered that an employee’s credentials had been compromised after the attacker took control of a personal Google account that stored and synced the person’s credentials.
After that first breach, the attacker used voice phishing attacks in which they impersonated trusted organizations to convince users to accept fraudulent multi-factor authentication messages. That MFA reports were ultimately successful, giving the attacker access to a VPN used by employees.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
Who was responsible for the attack on Cisco’s network?
Pointing to the possible culprit, Cisco Talos said the attack was likely carried out by someone identified as an initial access broker with ties to the UNC2447 cybercrime gang, the Lapsus$ group, and Yanluowang ransomware operators. Initial access brokers typically breach organizations and then sell access to ransomware gangs and other cybercriminals.
Specialized in ransomware, the UNC2447 gang threatens to publish any data it compromises or sell the information on hacker forums unless the ransom is paid. Relatively new to the world of cybercrime, the Lapsus$ group uses social engineering tactics, such as MFA requests, to deceive its victims. Named after the Chinese deity who judges the souls of the dead, Yanluowang ransomware attackers promise to publicly leak the stolen data and perform DDoS attacks unless the ransom is paid.
“This was a sophisticated attack on a high-profile target by experienced hackers that took a lot of perseverance and coordination to succeed,” said Paul Bischoff, privacy attorney at Comparitech. “It was a multi-stage attack that compromised a user’s credentials, phishing other staff for MFA codes, crisscrossing CISCO’s corporate network, taking steps to maintain access and hide traces, and exfiltrated. Cisco says the attack was most likely carried out by an initial access broker, or IAB. While some data has been exfiltrated, the primary role of an IAB is to sell other hackers access to private networks, who can later carry out other attacks, such as data theft, supply chain attacks on Cisco software, and ransomware.”
A tweet posted by cyberknow provider, threat intelligence provider including a screenshot of the Yanluowang ransomware group’s leak site with Cisco as the latest victim. The Cisco Talos notification showed a screenshot of an email Cisco received from the attackers. The email threatens Cisco that “no one will be aware of the incident and information leak if you pay us,” the email shows a folder containing some of the files compromised during the attack.
Why Security Companies Are Targeted
Cybersecurity and technology vendors are increasingly being targeted by cybercriminals. And the attacks are carried out for a variety of reasons, according to ImmuniWeb founder and cybersecurity expert Ilia Kolochenko.
“First, suppliers usually have privileged access to their corporate and government customers and thus can open doors for invisible and super-efficient attacks on the supply chain,” Kolochenko said. “Second, suppliers often have invaluable information about cyber threats.”
Seeking useful information about threats, attackers conduct surveillance to determine the status of investigations by private sellers and possible police raids by law enforcement officers, Kolochenko explained.
“Third, some vendors are a very attractive target because they have the latest DFIR (Digital Forensics and Incident Response) tools and techniques used to detect intrusions and track down cybercriminals, while some other vendors may have exploits for zero-day vulnerabilities or even source codes. code from advanced spyware, which can later be used against new victims or sold on the dark web,” Kolochenko added.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
How security professionals can protect their business from similar attacks
In addition to describing the attack and Cisco’s response, the Talos group provided tips for other organizations to combat these types of attacks.
Educate your users
Many attackers like to use social engineering tricks to compromise an organization. User education is an important step in the fight against such attempts. Make sure your employees know the legitimate methods that support staff will use to contact them. Also, when misusing MFA notifications, make sure employees know how to respond if they receive unusual requests on their phones. They need to know who to contact to determine if the request is a technical glitch or something malicious.
Verify employee devices
Apply strong device authentication by establishing strict controls over device health and make sure to restrict or block enrollment and access from unattended or unknown devices. Implement risk detection to identify unusual events, such as a new device being used from an unrealistic location.
Enforce security requirements for VPN access
Before you allow VPN access from remote endpoints, use check posture to ensure that connected devices meet your security requirements and that previously unapproved devices cannot connect.
Segment your network
Network segmentation is another essential security method because it can better protect important assets and help you better detect and respond to suspicious activity.
Use centralized logs
By relying on centralized logs, you can better determine if an attacker is trying to remove logs from your system. Ensure that endpoint log data is collected centrally and analyzed for suspicious behavior.
Switch to offline backups
In many incidents, attackers targeted the backup infrastructure to prevent an organization from recovering files compromised during an attack. To counter this, make sure your backups are stored offline and regularly test recovery to make sure you can recover from an attack.
