On August 10, 2022, Cisco confirmed that its corporate systems had been hacked. The incident with the penetration and deployment of malicious software inside the perimeter of the organization occurred at the end of May. The hackers claim to have stolen 2.75GB of data from the company's network, including confidential documents and technological blueprints for network devices.
See also: Learn programming in R - best courses in 2022
Cisco said the attackers were able to copy non-sensitive data that the compromised employee account had access to.
Cisco Talos experts said that hackers gained access to the Cisco network using stolen employee credentials after hacking into his personal Google account, which was synchronized to log into the internal network through a browser. Moreover, during the attack, the hackers convinced a Cisco employee to give them the data from the push notification of the multi-factor authentication (MFA) system using a voice phishing attack, impersonating a company technical support employee.
After that, the hackers were able to access the company's VPN through the user's account. Then the attackers tried to spread the tools of the Yanluowang ransomware virus on the corporate network. They were able to do this on some Citrix servers and domain controllers. “They moved into the Citrix environment, compromised a number of servers, and eventually gained privileged access to domain controllers,” Cisco Talos explained.
Having obtained domain administrator rights, the hackers used special software and tools ntdsutil, adfind and secretsdump to collect additional information. The attackers were able to deploy several malware, including a backdoor, on the compromised servers.
After some time, Cisco experts discovered the intrusion, isolated access to hackers and forced them out of the corporate environment. For several weeks, hackers continued to try to regain access to the company's internal systems.
“After gaining initial access, the attackers took a number of steps to covertly preserve access, minimizing the presence of artifacts and suspicious logs on compromised systems,” explained Cisco Talos. The company's experts were able to detect and remove all malware, but the hackers managed to download some files from the internal network. The company explained that during the attack, no files on the servers were encrypted or deleted.
The hackers told Bleeping Computer that they were able to steal about 3,100 files, including documents from partners with non-disclosure agreements, data dumps and technical drawings. They are going to publish this information if the company does not pay the ransom.