The Yanluowang ransomware group infiltrated Cisco’s corporate network in late May and stole internal data, according to a security breach Cisco reported.
The investigation revealed that threat actors exploited a Cisco employee’s credentials after gaining control of a personal Google account where credentials saved in the victim’s browser were being synced. Once they had the victim’s credentials, the attackers began voice phishing attempts in an effort to convince them to accept the MFA push notification they had initiated.
Through MFA fatigue and a series of voice phishing attacks impersonating trustworthy support companies, the attacker persuaded the Cisco employee to accept MFA push alerts. The threat actors were able to access the VPN in the context of the targeted user after ultimately tricking the victim into accepting one of the MFA alerts.
“Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password synchronization in Google Chrome and had saved their Cisco credentials in their browser, allowing that information to synchronize with their Google account.” published by Cisco Talos.
Once the Yanluowang operators had acquired access to the corporate network of the company, they expanded laterally to domain controllers and Citrix servers.
After getting domain admin access, they deployed a number of payloads, including a backdoor, on infected devices and utilised enumeration tools including ntdsutil, adfind, and secretsdump to gather further information.
“After gaining initial access, the threat actor engaged in a variety of activities to retain access, reduce forensic evidence, and raise their level of access to the environment’s systems”. “The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.” they added.
Recently, the threat actor that carried out the Cisco breach shared a directory listing of data that were purportedly taken during the attack last week. They claims to have stolen 2.75GB of data, which is comprised of approximately 3,100 files. Non-disclosure agreements, data dumps, and engineering drawings make up a large portion of these files. As proof of the attack, the threat actors sent a redacted NDA document stolen in the attack.
Cisco said that throughout the attack, the Yanluowang gang did not use any ransomware on their network. The Yanluowang ransomware group is attempting to blackmail the company and has published a list of files that have been taken from it. If Cisco does not pay the ransom, the group has threatened to release all the material that has been stolen.
While we did not detect ransomware deployment in this attack, the TTPs employed were consistent with “pre-ransomware behaviour,” which is typically observed prior to ransomware distribution in victim environments. Many of the TTPs detected are consistent with CTIR activities from earlier engagements.” Talos experts conclude.