The Yanluowang ransomware group behind the May attack on Cisco Systems has publicly leaked the stolen files on the dark web over the weekend, but the networking giant says there’s nothing to worry about.
Talos, Cisco’s threat intelligence arm, confirmed the authenticity of the files leaked, saying they matched what the networking giant said was stolen during the attack and reiterated that its operations were not adversely affected.
In a blog post, Talos wrote that “we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”
Cisco disclosed the attack last month after the ransomware group published a list of stolen files on the dark web. It claims the data taken during the attack included non-sensitive information like the contents of a Box folder associated with the personal Google account that the group compromised as part of its initial access, and employee authentication data from Active Directory.
“The Box data obtained by the adversary in his case was not sensitive,” the Talos experts wrote.
However, the leader of the Yanluowang reportedly said the group had stolen as much as 55GB of data that included such sensitive information as source codes and classified materials.
Fund the criminals? At what price?
According to Erich Kron, security awareness advocate at security awareness training firm KnowBe4, it’s clear that Cisco chose not to pay the extortion demanded by the ransomware gang, which led to the stolen data being posted.
“Because the stolen data was of low impact to Cisco, the threat of public disclosure of this data lost its leverage,” Kron told The Register. “Unfortunately, in a lot of cases, the information is sensitive enough to force organizations to pay to avoid public disclosure. Any stolen data is likely to end up for sale on the dark web, even if organizations pay the ransom.”
The criminals were able to initially access the Cisco VPN through the compromised Google account of an employee who had enabled password syncing through Google Chrome and stored their Cisco credentials in the browser.
With the user’s credentials in hand, they worked to bypass multifactor authentication (MFA) through calling directly or sending a lot of push requests to the user’s mobile device in hopes of getting the person to access an account either accidentally or in hopes of ending the repeat push notifications.
“In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user,” the Talos team wrote.
Once in Cisco’s networks, the attackers enrolled new devices for MFA and successfully authenticated them on the Cisco VPN. They then escalated administrative privileges but that alerted CSIRT, which found the threat group had brought in remote access software like LogMeIn and TeamViewer and such security tools as Cobalt Strike, Mimikatz, PowerSploit and Impacket.
The attackers also added their own backdoor accounts and tools for ensuring persistence. They sought information like user and group memberships and hostnames, moved laterally through the networks, used the compromised user account to get into other systems, moved into Cisco’s Citrix environment, and compromised some Citrix servers.
Once removed from the Cisco networks, the attackers continued to try to get back in, mostly by targeting weak passwords after mandatory resets, according to Talos.
Persistence pays off
KnowBe4’s Kron noted that a high percentage of breaches after initial access is gained through phishing emails sent to employees, highlighting the need to continue to educate them on spotting and reporting attacks. In addition, a good data loss prevention (DLP) system also is needed.
“The issue of data exfiltration and threats of public disclosure is not new, but the practice is becoming common,” he said. “Due to the threat of these attacks, organizations are wise to focus on preventing the network intrusion in the first place, not just quickly recovering, and should ensure that access to sensitive data is limited and tightly controlled.”
Symantec’s Threat Hunter Team uncovered the Yanluowang gang last year and other security vendors also have kept an eye on it. In August, MDR specialist eSentire’s Threat Response Unit said that the IT infrastructure used in the Cisco attack in May also was used in an attempted compromise of another workforce management software company the month earlier.
In a report, eSentire said a person with an alias of mx1r was the cybercriminal behind the attack on its client and that Mandiant – the security company that now is part of Google – linked the attacker to a high-profile Russian-linked group called Evil Corp (also known as UNC2165).
Cisco had linked its attacker to a cybercriminal with ties to not only Yanluowang but also Lapsus$ and FiveHands (UNC2447), another ransomware group. Let’s face it, Cisco’s a very tempting target given its market position. ®