Networking giant Cisco disclosed yesterday that its corporate network was accessed by bad actors in May after a staff member’s personal Google account was compromised, and a list of files accessed during the breach appeared on the Dark Web.
The attackers took control of the employee’s personal Google account where credentials saved in the victim’s browser were being synchronised. They then conducted a series of sophisticated voice phishing attacks under the guise of various trusted organisations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the malefactor.
The threat actor ultimately succeeded in achieving an MFA push acceptance, granting them access to the VPN in the context of the targeted user.
A ransomware gang dubbed “Yanluowang" has now claimed responsibility for the attack.
Containment, eradication
In a statement, Cisco said it identified a security incident targeting its corporate IT infrastructure, on 24 May, and took immediate action to contain and eradicate the bad actors.
Prior to this disclosure, the company said it has been actively collecting information about the threat actor to help protect the security community.
“In addition, we have taken steps to remediate the impact of the incident and further harden our IT environment. No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident.”
The company also claimed its business has suffered no impact from the incident, including none to any of its products or services, sensitive customer or employee data, IP, or supply chain operations.
According to Cisco, every security event is a chance to learn, boost resilience and help the security community as a whole.
The company has updated its security products with intelligence gained from observing the attacker’s techniques, shared indicators of compromise with other parties, and reached out to law enforcement and other partners.
Speaking of the remediation actions it has taken, Cisco says it has extensive IT monitoring and remediation capabilities in place, and has used these capabilities to implement additional protections, block any unauthorised access attempts, and mitigate the security threat.
“We are also putting additional emphasis on employee cyber security hygiene and best practices to avoid similar instances in the future."
Vendors in the cross hairs
Ilia Kolochenko, founder of ImmuniWeb and a member of the Europol Data Protection Experts Network, says these days, cyber security and technology vendors are commonly targeted by sophisticated threat actors for a variety of interconnected reasons.
“Firstly, vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply chain attacks,” he adds.
Next, he says, vendors frequently have invaluable cyber threat intelligence, and bad actors are highly motivated to conduct counter-intelligence operations, aimed at finding out where law enforcement and private vendors are with their investigations and upcoming police raids.
Finally, he says some vendors are highly attractive targets because they possess the most recent digital forensics and incident response tools and techniques used to detect intrusions and uncover cyber criminals, while some other vendors may have exploits for zero-day vulnerabilities, or even source code of sophisticated spyware, which can later be used against new victims or sold on the Dark Web.
Kolochenko notes the industry needs to prepare for a continually growing volume and sophistication of cyber attacks targeting technology companies, particularly security vendors.
Share