“MFA Fatigue” help attackers breach Cisco corporate network

Cisco has confirmed a ransomware attack on its corporate network that happened in late May.

Behind the attack was the Yanluowang Ransomware gang. According to Cisco, the attackers were able to steal non-sensitive data from a box folder linked to the account of a compromised employee.

MFA fatigue was critical to helping the attacker break through Cisco’s network. MFA fatigue is also known as MFA prompt spamming. After gaining access to compromised login credentials, a hacker tricks a user by repeatedly sending push notifications to authorize the login.

Through MFA fatigue and a series of sophisticated voice phishing attacks that faked trusted support organizations, the attacker convinced the CISCO employee to accept multi-factor authentication (MFA) push notifications.

The employee was eventually tricked into accepting one of the MFA notifications. The attackers then gained access to the VPN in the context of the target user.

After gaining access to the corporate network, the Yanluowang operators spread laterally to Citrix servers and domain controllers.

The attackers used enumeration tools such as ntdsutil, adfind, and secretsdump to collect more information after accessing domain administrators, and then installed a number of payloads on compromised systems, including a backdoor.

Their activities were discovered by Cisco and eventually driven out of the environment.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web