IT, networking, and cybersecurity solutions giant Cisco has admitted suffering a security incident targeting its corporate IT infrastructure in late May 2022. On August 10, the firm stated that an employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized. Bad actors published a list of files from this security incident to the dark web, Cisco added.
“The incident was contained to the corporate IT environment and Cisco did not identify any impact to any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations,” the company said. Cisco claimed it took immediate action to contain and eradicate the bad actor, which it has linked to notorious threat group LAPSUS$. It also said that it has taken the decision to publicly announce the incident now as it was previously actively collecting information about the bad actor to help protect the security community.
Attacker used “sophisticated voice phishing” tactics
In an executive summary of the incident, Cisco Security Incident Response (CSIRT) and the company’s cybersecurity intelligent group Cisco Talos wrote “The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.”
CSIRT and Talos have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development and code signing, they added. After obtaining initial access, the threat actor conducted activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment. “Throughout the attack, we observed attempts to exfiltrate information from the environment,” Cisco continued, confirmining that the only successful data exfiltration that occurred during the attack included the contents of a Box folder that was associated with the compromised employee’s account and employee authentication data from active directory. “The Box data obtained by the adversary in this case was not sensitive. The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack. However, these attempts were unsuccessful.” The adversary repeatedly attempted to establish email communications with executive members of the organization, but did not make any specific threats or extortion demands.
Attack linked to LAPSUS$ threat group
Cisco assessed with “moderated to high confidence” that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, LAPSUS$ threat actor group, and Yanluowang ransomware operators. “Some of the TTPs discovered during the course of our investigation match those of LAPSUS$…a threat actor group that is reported to have been responsible for several previous notable breaches of corporate environments. UNC2447 is a financially motivated threat actor with a nexus to Russia that has been previously observed conducting ransomware attacks and leveraging a technique known as ‘double extortion,’ in which data is exfiltrated prior to ransomware deployment to coerce victims into paying ransom demands. Prior reporting indicates that UNC2447 has been observed operating a variety of ransomware, including FIVEHANDS, HELLOKITTY, and more.”
However, Cisco stated that no ransomware has been observed or deployed in the attack. “Every cybersecurity incident is an opportunity to learn, strengthen our resilience, and help the wider security community. Cisco has updated its security products with intelligence gained from observing the bad actor’s techniques, shared indicators of compromise (IOCs) with other parties, reached out to law enforcement and other partners,” it said. Cisco has implemented a company-wide password reset upon learning of the incident.
Strengthen MFA, device verification and network segmentation to mitigate risks
Cisco advised organizations to take steps to mitigate the risks associated with this incident, including strengthening MFA, device verification, and network segmentation. “Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.”
It is beneficial to implement strong device verification by enforcing stricter controls around device status to limit or block enrollment and access from unmanaged or unknown devices, Cisco added. Network segmentation is another important security control that organizations should employ, as it provides enhanced protection for high-value assets and enables more effective detection and response capabilities in situations where an adversary is able to gain initial access into the environment, the firm said.
“Centralized log collection can help minimize the lack of visibility that results when an attacker takes active steps to remove logs from systems. Ensuring that the log data generated by endpoints is centrally collected and analyzed for anomalous or overtly malicious behavior can provide early indication when an attack is underway.”