Lessons on Cyber Hygiene and Unwavering Vigilance from Cisco’s 2022 Breach

The networking giant Cisco recently confirmed that it was successfully breached by the Yanluowang ransomware gang. On May 24, 2022, Cisco’s incident response team began investigating a suspected compromise within their network. A threat actor was able to steal data from Cisco and attempted to extort them for money before publishing it to the dark web. Cisco fortunately didn’t suffer major damages and stated, “Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.” The initial access to Cisco’s network is interesting and a great learning opportunity.

Employee’s credentials saved in personal Google account

Although saving credentials within browsers makes it easy to input complex credentials into sites, it can be stolen by hackers. The compromised user had saved their Cisco VPN credentials within the browser and enabled browser syncing with Google Chrome. By compromising the personal Google account, the attackers were able to sync and gain access to the passwords stored.  

If at first you don’t succeed, try again

The attackers then defeated Multifactor Authentication (MFA) by using voice phishing (AKA “vishing”) techniques and MFA fatigue. Vishing is a technique using phone calls to impersonate a trusted entity in order to trick their target into doing something. MFA fatigue is sending repeated MFA prompts in the attempt to get the target to accept the MFA prompt unknowingly of the attack. Once the attacker was able to successfully log into the company VPN, they enrolled other devices to MFA to bypass the user’s MFA prompts.  

Digging In

Once the attackers gained access to the network, they were able to laterally move to other systems and were eventually able to get privileged access to domain controllers. The attackers exfiltrated the user database and performed offline cracking. The threat actor was able to access an online storage service and steal some data but Cisco reports that it was not sensitive.

Lessons Learned

- Although defenses are in place for corporate assets, personal use of work computers could allow a spillover between work and personal information. Prevent sensitive work information like credentials to be stored in a non-secure resource. Use a trusted password manager like LastPass, Bitwarden, and KeePass. Avoid storing credentials in browsers.  

- Heavily protect any email account that is linked to sensitive services (i.e. banking). A lot of services can execute a password reset successfully with just access to the email account. Use a long password and enable MFA.

- Keep browsers patched as much as possible. Browsers touch the dirty Internet the most. Stored passwords are often targeted within browser software.

- Use a separate device to conduct personal business. Browsing the web and checking email increases the chances of malicious code running on our work systems. 

- Be vigilant on MFA prompts. Please report suspicious MFA prompts that you think you did not generate. 

We all play an important role in keeping our assets safe and secure!

References:

https://tools.cisco.com/security/center/resources/corp_network_security_incident

http://blog.talosintelligence.com/2022/08/recent-cyber-attack.html

https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/