On August 10, Cisco announced that the notorious Yanluowang ransomware gang had breached their corporate network last May. The threat group requested a ransom payment from the firm to keep the stolen files from being published online.
However, the tech firm clarified that the stolen data were all non-sensitive, implying that the incident had no massive impact on their business, including their products, services, customer data, employee information, supply chain operations, and intellectual property.
Cisco immediately remediated the issues inflicted on their breached network.
Additional measures were also applied to protect Cisco’s systems against more cyberattacks. The details of the attack and the measures they have implemented were shared since Cisco noticed that the threat actors behind it have already leaked some samples of the stolen data on the dark web.
From the shared report, the tech firm explained that the Yanluowang ransomware gang had successfully breached their corporate networks after the group had stolen credentials from an employee through hacking into their personal Google account.
It could also be noted that the threat actors have applied social engineering and vishing (voice phishing) tactics to convince the Cisco staff to give away the MFA code. The MFA code allowed the Yanluowang actors to access a VPN server while posing as the victimised employee.
This successful process also gave the gang entrance to Cisco’s corporate network. After accessing, they began to spread laterally across several Citrix servers and domain controllers. The tech firm eventually detected the unauthorised activities in their system and removed the access. The ransomware group have continuously attempted to regain access, to no avail.
Seemingly not accepting defeat, the threat actors published a directory listing of files allegedly stolen from Cisco on the dark web. This directory holds 2.75GB of data, consisting of several corporate documents, NDAs, data dumps, and engineering drafts.
On a lighter note, Cisco’s corporate network was not infected with ransomware during the attack. The tech firm also associated the attack with other notorious threat groups, including the UNC2447 and Lapsus$.