- The investigation initiated by Cisco Security Incident Response and Cisco Talos showed that employee credentials were compromised.
- The attackers conducted a series of voice phishing attacks under the guise of various trusted organizations to convince the victim to accept multi-factor authentication push notifications.
- The attackers conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access but failed.
Cisco published a blog post, sharing detailed information about a cyber attack that targeted the company. The incident took place on May 24, 2022. When the company was made aware of a potential compromise, Cisco Security Incident Response and Cisco Talos started investigating the issue. The company admitted that employees’ credentials were compromised.
2.75 GB of stolen data
Cisco stated that the attackers conducted voice phishing attacks mimicking trusted organizations. Initially, the attackers managed to convince the victim to accept the multi-factor authentication push notification, which was initiated by the attacker. It granted them access to VPN in the context of the targeted user.
The investigation initiated by CSIRT and Talos showed that there is no evidence suggesting that attackers could access the critical internal system. However, Cisco employees’ credentials were compromised. The attacker gained control of a personal Google account where credentials were saved in the victim’s browser, and synchronization was enabled. The attackers tried to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
The company managed to remove the threat actor from the environment. The attackers made several unsuccessful attempts to regain access during the following weeks. Cisco believes that the attack was conducted by an adversary that has been previously identified as an initial access broker with ties to the UNC2447 cybercrime gang, which is the Lapsus$ threat actor group and Yanluowang ransomware operators.
On the other hand, the Yanluowang gang claims that they have stolen 2.75 GB of data, which includes approximately 3,100 files. Most of these are non-disclosure agreements, data dumps, and engineering drawings. The gang published the stolen data on their data leak site. Cisco said,
« Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organizations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information.
Given the actor’s demonstrated proficiency in using a wide array of techniques to obtain initial access, user education is also a key part of countering MFA bypass techniques. Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious. »