August 13 Update below. This post was originally published on August 11
Networking giant Cisco confirms hacking as ransomware group publishes a partial list of files it claims to have exfiltrated.
On the same day that the Yanluowang ransomware group published a partial list of files it says were stolen from Cisco, the networking giant’s Talos Intelligence Group confirmed that Cisco had, indeed, been hacked.
The confirmation, that came by way of a Talos blog posting, stated Cisco was first made aware of a potential compromise on May 24. The potential compromise became a confirmed network breach following further investigation by the Cisco Security Incident Response (CSIRT) team.
Who is behind the Cisco hack?
Cisco said that the initial access vector was through the successful phishing of an employee’s personal Google account, which ultimately led to the compromise of their credentials and access to the Cisco VPN.
The threat actor, confirmed as an initial access broker with ties to a Russian group called UNC2447 as well as the Yanluowang ransomware gang was ejected from the network and prevented from re-entry despite many attempts over the following weeks. The tactics, techniques, and procedures (TTPs) also showed some overlap with the Lapsus$ group, many of whom were arrested earlier in the year.
August 12 Update:
The threat intelligence analyst’s perspective
“Whether this incident was overstated by Yanluowang depends on perspective. From analyzing the directory leaked and Cisco’s statement, it seems that the data exfiltrated – both in size and content – is not of great importance or sensitivity,” Louise Ferrett, a threat intelligence analyst at Searchlight Security, told me.
“However, as was the case with a number of attacks by actors such as LAPSUS$,” Ferrett continues, “sometimes the act of compromising a corporate network itself can be enough for threat actors to gain mainstream publicity and underground ‘cred’, which can lead to further resources and collaboration in the future…