Networking equipment major Cisco on Wednesday confirmed it was the victim of a cyberattack on May 24, 2022 after the attackers got hold of an employee's personal Google account that contained passwords synced from their web browser.
"Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee's personal Google account," Cisco Talos said in a detailed write-up. "The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account."
The disclosure comes as cybercriminal actors associated with the Yanluowang ransomware gang published a list of files from the breach to their data leak site on August 10.
The exfiltrated information, according to Talos, included the contents of a Box cloud storage folder that was associated with the compromised employee's account and is not believed to have included any valuable data.
Besides the credential theft, there was also an additional element of phishing wherein the adversary resorted to methods like vishing (aka voice phishing) and multi-factor authentication (MFA) fatigue to trick the victim into providing access to the VPN client.
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
MFA fatigue or prompt bombing is the name given to a technique used by threat actors to flood a user's authentication app with push notifications in hopes they will relent and therefore enable an attacker to gain unauthorized access to an account.
"The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user," Talos noted.
Upon establishing an initial foothold to the environment, the attacker moved to enroll a series of new devices for MFA and escalated to administrative privileges, giving them broad permissions to login to several systems – an action that also caught the attention of Cisco's security teams.
The threat actor, which it attributed to an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, LAPSUS$ threat actor group, and Yanluowang ransomware operators, also took steps to add their own backdoor accounts and persistence mechanisms.
UNC2447, an "aggressive" financially motivated Russia-nexus actor, was uncovered in April 2021 exploiting a then zero-day flaw in SonicWall VPN to drop FIVEHANDS ransomware.
Yanluowang, named after a Chinese deity, is a ransomware variant that has been used against corporations in the U.S., Brazil, and Turkey since August 2021. Earlier this April, a flaw in its encryption algorithm enabled Kaspersky to crack the malware and offer a free decryptor to help victims.
Furthermore, the actor is said to have deployed a variety of tools, including remote access utilities like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket aimed at increasing their level of access to systems within the network.
"After establishing access to the VPN, the attacker then began to use the compromised user account to logon to a large number of systems before beginning to pivot further into the environment," it explained. "They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers."
The threat actors were also subsequently observed moving files between systems within the environment using Remote Desktop Protocol (RDP) and Citrix by modifying host-based firewall configurations, not to mention staging the toolset in directory locations under the Public user profile on compromised hosts.
That said, no ransomware was deployed. "While we did not observe ransomware deployment in this attack, the TTPs used were consistent with 'pre-ransomware activity,' activity commonly observed leading up to the deployment of ransomware in victim environments," the company said.
Cisco further noted that the attackers, after being booted off, tried to establish email communications with the company executives at least three times, urging them to pay and that "no one will know about the incident and information leakage." The email also included a screenshot of the directory listing of the exfiltrated Box folder.
Aside from initiating a company-wide password reset, the San Jose-based firm stressed the incident had no impact to its business operations or resulted in unauthorized access to sensitive customer data, employee information, and intellectual property, adding it "successfully blocked attempts" to access its network since then.