Cisco Systems has admitted that data posted on Sunday by the Yanluowang ransomware gang was stolen from the networking giant in a cyberattack earlier this year.
In an updated blog post yesterday, Cisco’s Talos threat intelligence team said that the contents of files posted by the gang on its data leak site matched data from the list of file names Yanluowang had earlier published claiming to be from the company.
Nevertheless, Cisco maintains no sensitive customer, employee, or corporate data was copied.
“Our previous analysis of this incident remains unchanged,” the blog says. “We continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”
Cisco acknowledged in August that on May 24th it realized there had been a “potential compromise.” A company employee’s credentials had been compromised after an attacker gained control of their personal Google account where credentials saved in the victim’s browser were being synchronized. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account.
The attacker then ran a series of sophisticated voice phishing attacks under the guise of various trusted organizations, attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker, Cisco said. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted the Cisco Security Incident Response Team (CSIRT).
The threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment before being ejected from the system. That activity included the use of remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and the addition of the gang’s own backdoor accounts and persistence mechanisms
The Bleeping Computer news service said Yanluowang’s leader told it thousands of Cisco files including classified documents, technical schematics, and source code were stolen. When the news site asked for comment, Cisco denied the possibility that the intruders had exfiltrated or accessed any source code.