Rewterz Threat Update – Cisco Suffered A Data Breach Attack By The Yanluowang Ransomware Gang

Severity

High

Analysis Summary

The Yanluowang ransomware group infiltrated Cisco’s corporate network in late May and stole internal data, according to a security breach Cisco reported.

The investigation revealed that threat actors exploited a Cisco employee’s credentials after gaining control of a personal Google account where credentials saved in the victim’s browser were being synced. Once they had the victim’s credentials, the attackers began voice phishing attempts in an effort to convince them to accept the MFA push notification they had initiated.

Through MFA fatigue and a series of voice phishing attacks impersonating trustworthy support companies, the attacker persuaded the Cisco employee to accept MFA push alerts. The threat actors were able to access the VPN in the context of the targeted user after ultimately tricking the victim into accepting one of the MFA alerts.

“Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password synchronization in Google Chrome and had saved their Cisco credentials in their browser, allowing that information to synchronize with their Google account.” published by Cisco Talos.

Once the Yanluowang operators had acquired access to the corporate network of the company, they expanded laterally to domain controllers and Citrix servers.

After getting domain admin access, they deployed a number of payloads, including a backdoor, on infected devices and utilised enumeration tools including ntdsutil, adfind, and secretsdump to gather further information.

“After gaining initial access, the threat actor engaged in a variety of activities to retain access, reduce forensic evidence, and raise their level of access to the environment’s systems”. “The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.” they added.

Recently, the threat actor that carried out the Cisco breach shared a directory listing of data that were purportedly taken during the attack last week. They claims to have stolen 2.75GB of data, which is comprised of approximately 3,100 files. Non-disclosure agreements, data dumps, and engineering drawings make up a large portion of these files. As proof of the attack, the threat actors sent a redacted NDA document stolen in the attack.

Image source

Cisco said that throughout the attack, the Yanluowang gang did not use any ransomware on their network. The Yanluowang ransomware group is attempting to blackmail the company and has published a list of files that have been taken from it. If Cisco does not pay the ransom, the group has threatened to release all the material that has been stolen.

Image source

While we did not detect ransomware deployment in this attack, the TTPs employed were consistent with “pre-ransomware behaviour,” which is typically observed prior to ransomware distribution in victim environments. Many of the TTPs detected are consistent with CTIR activities from earlier engagements.” Talos experts conclude.

Impact

• Data Extortion
• Information Theft

Remediation

• Maintain cyber hygiene by updating your anti-virus software and implement patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs)  in your environment utilizing your respective security controls
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets