However, the company pointed out that the security breach has no impact on the business because the stolen data doesn’t include sensitive information. Over the weekend, Cisco confirmed that the data recently leaked by the Yanluowang ransomware gang have been authentic and was stolen from its network during the May intrusion. Then threat actors were able to drop multiple tools in the target network, including remote access tools like LogMeIn and TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket. Then the threat actors escalated to administrative privileges before logging into multiple systems.
The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.Īccording to Talos, once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. Upon achieving an MFA push acceptance, the attacker had access to the VPN in the context of the targeted user. Once obtained the credentials, the attackers launched voice phishing attacks in an attempt to trick the victim into accepting the MFA push notification started by the attacker.
The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised a Cisco employee’s credentials after they gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
0 kommentar(er)
