Cisco hacked by access broker with Lapsus$ ties

No Cisco employee or customer personal information was stolen in the hack, though some data did make it onto the dark web.

LAS VEGAS -- Cisco disclosed on Wednesday a cyber attack it endured from a threat actor with ties to cybercrime gangs Lapsus$, UNC2447 and Yanluowang.

The networking and security giant said it became aware of an attack on May 24. Cisco found over the course of its investigation that the compromise occurred after the attacker gained control of an employee's personal Google account that had a number of credentials synchronized, a Cisco Talos blog post explained.

From there, the attacker "conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations" to convince the victim user to accept multifactor authentication push notifications. The attacker ultimately succeeded and gained access to the targeted user's VPN.

Although the attacker conducted a series of actions to gain persistence and escalate access, Cisco said the threat actor was ultimately "removed from the environment," with additional attempts to regain access thwarted over the following weeks. Complete technical details are available in the Talos blog post.

In a corporate security incident disclosure published on Cisco's website, the vendor said it did not identify "any impact" on its business.

"Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations," the disclosure read. "On August 10, the bad actors published a list of files from this security incident to the dark web."

At Black Hat 2022, SearchSecurity spoke with Nick Biasini, global lead of outreach at Cisco Talos and one of the authors of the Cisco Talos post -- only Biasini was credited on the blog, but he clarified that multiple researchers worked on it.

He declined to add additional information about the attack. However, he said that the disclosure -- which is highly transparent and has been praised by cybersecurity professionals, including Cybersecurity and Infrastructure Security Agency Director Jen Easterly -- was not deliberately timed with Black Hat.

Regarding the Google credentials aspect of the attack, Biasini said that the practice of stealing browser credentials has "always been going on."

"It speaks more broadly to why things like password managers are so important and why organizations and individuals should be using password managers and not browsers for that type of thing," he said. "Actors stealing credentials out of browsers isn't new. They've been doing it for as long as I've been working in security. Storing anything in a browser is risky, regardless of what the credential is. That's why you use password managers as a primary mechanism to help protect against it."

On Aug. 10, the same day Cisco disclosed, ransomware gang Yanluowang posted a number of alleged stolen Cisco files to its leak site. Though Cisco did not say Yanluowang's data was accurate, the Talos post provided additional information about what was stolen -- namely, a nonsensitive Box folder stolen from a compromised employee's account.

UPDATE 9/12: Cisco posted an update Sunday confirming that Yanluowang published the contents of the stolen files. The data leaked by the ransomware gang matched the files that Cisco had previously identified and disclosed. "Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations," the company said.

As for the attacker's identity, the Talos blog claimed "with moderate to high confidence" that it was an adversary previously identified as an initial access broker -- a threat actor that gains access to victim organizations before selling said access to other threat actors. The actor, Cisco said, has previous ties with gangs UNC2447, Yanluowang and Lapsus$.

UNC2447 is a ransomware actor with apparent ties to Russia; Yanluowang is a newer gang discovered last year that conducts targeted attacks against organizations using a combination of malware and legitimate software; and Lapsus$ is a now-defunct extortion gang that gained prominence early this year for attacks against Microsoft, T-Mobile and more.

Asked whether the attack was sophisticated, Biasini called attention to the social engineering aspects of the attack.

"[Social engineering is] not something that is a simple attack process," he said. "Even though I'm talking about social engineering, it's becoming more common; it's not the type of thing that we see broadly happening in large swaths of the internet."

Social engineering attacks are becoming more common, with the most visible example to date being 2020's Twitter breach. Apparently coincidentally, Biasini gave a Thursday talk at Black Hat dedicated to the growing prevalence of social engineering attacks.

"'I'm here to talk about social engineering. That is an interesting thing," Biasini told SearchSecurity. "For me, it's one of the more emerging areas that I'm seeing a lot more activity and one that enterprises don't necessarily focus a lot in. We spent 15 years telling people not to click attachments and not to click links, and now, adversaries are moving to do stuff over the phone. We spent all this time educating on these two things. We kind of left one thing off, and now, actors are starting to look at that one thing we left off."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Data security and privacy