Posted on August 11, 2022 at 8:09 PM
Cisco has confirmed that the Yanluowang ransomware group recently attacked its network to steal data. According to the networking giant, the gang compromised its corporate network in late May and tried to extort the firm by threatening to release stolen files online.
However, the firm stated that the threat actors were only successful at stealing and harvesting non-sensitive data from a box folder to a breached employer’s account.
“Cisco experienced a security incident on our corporate network in late May 2022,” a Cisco spokesperson said, adding that the company took immediate action to stop the threat actors.
The company explained that there was no impact of the threat action on its business. All sensitive employee information, sensitive customer data, and Cisco products and services are safe from exploits.
The Ransomware Group Has Shared The Stolen Files On The Dark Net
The Cisco team stated that the threat actors published some files believed to be from the incident on the dark web. But these files are not vital to the security of users and the platform. As a way of ensuring more protection, additional measures have been implemented to safeguard its systems. Cisco has also provided technical details to enable the wider community to stay protected and defensive against the threat actors. The information, according to the company, will enable others to understand the attack methods of the ransomware group to enable them to protect their systems.
The report explained how the threat actors were able to gain access to the Cisco network. According to the report, the Yanluowang ransomware group gained access to the Cisco network through an employee’s compromised credentials. The group hijacked the employee’s personal Google account that contains credentials synced from their browser.
Social Engineering Technique Deployed
The group used social engineering techniques to convince the employee to accept multi-factor authentication (MFA) push notifications. The attacker also used several sophisticated voice phishing strategies that impersonate some genuine support organizations. This helped to convince the target to give away their details.
The group finally convinced the target to accept one of the MFA notifications, which gave them access to the VPN used by the targeted user.
After gaining insight into the firm’s corporate network, the hackers spread to domain controllers and Citrix servers. Cisco Taos added that they compromised several Citrix servers and gained unauthorized access to other less sensitive areas in the network.
The Attack Was Detected On Time
After gaining access to the domain admin, the ransomware group used enumeration tools like secretsdump, adfind, and ntdsutil to gain more information and deliver a series of payloads in the breached systems. They also planted a backdoor in the process.
Cisco Talos said the threat attack was discovered and blocked on time by its security team. This prevented the ransomware group from gaining access to the sensitive section of the network. But, after the initial block of the attack, the threat actors didn’t give up. Over the following weeks, they tried regaining access to the Cisco network.
Cisco added that the hackers carried out several activities to maintain access, increase their level of access, and minimize forensics. But the threat actor was successfully locked out of the network.
Hackers Claim Stolen Data Was From Cisco Network
The hackers believed to be responsible for the threat actors have released the data they allegedly stole from Cisco. Last week, the ransomware group released a directory of files it allegedly stole from the network.
The hackers said they stole 2.75GB of data, consisting of about 3,100 files, during the attack.
According to BleepingComputer, who was given some copies of the file, many of the files are data dumps, non-disclosure agreements, and engineering drawings. The data also contained a redacted NDA document as proof of the attack. The ransomware gang has also announced the Cisco breach on the dark net and their data leak site. The data contains the same files previously sent to BleepingComputer.
Cisco stated that although the ransomware group is notorious for encrypting their victim’s files, there has been no evidence of a ransomware payload in the attack.
The company admitted that the activities of the group on the network are similar to the activities used when ransomware is deployed. The Yanluowang group recently claimed that it successfully breached the network of American retail giant Walmart. But the company has denied the claim, insisting that there is no evidence of such a breach.