Cisco Hacked By Yanluowang Ransomware Gang, 2.8GB Allegedly Stolen

An anonymous reader quotes a report from BleepingComputer: Cisco confirmed today that the Yanluowang ransomware group breached its corporate network in late May and that the actor tried to extort them under the threat of leaking stolen files online. The company revealed that the attackers could only harvest and steal non-sensitive data from a Box folder linked to a compromised employee's account. "Cisco experienced a security incident on our corporate network in late May 2022, and we immediately took action to contain and eradicate the bad actors," a Cisco spokesperson told BleepingComputer. "Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community."

The Yanluowang threat actors gained access to Cisco's network using an employee's stolen credentials after hijacking the employee's personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations. The threat actors finally tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company's corporate network, Yanluowang operators spread laterally to Citrix servers and domain controllers.

"They moved into the Citrix environment, compromising a series of Citrix servers and eventually obtained privileged access to domain controllers," Cisco Talos said. After gaining domain admin, they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor. Ultimately, Cisco detected and evicted them from its environment, but they continued trying to regain access over the following weeks. [...] Last week, the threat actor behind the Cisco hack emailed BleepingComputer a directory listing of files allegedly stolen during the attack. The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.

MFA Push Notifications?

[splutty]

Why?... Why would anyone who needs actual security do that, that defeats the whole bloody purpose of MFA as actual security.

Re:MFA Push Notifications?

[Zocalo]

Agreed, but in my experience that's pretty much how most of those MFA-app based setups are configured to work. I have a few dozen of them in my app of choice, some personal and some for work, and for nearly all of them you inititate a login somewhere and enter your credentials ("what you know"), then you get a pushed challenge on your paired phone or whatever to approve it ("what you have"). You may also have a third factor such as having to sign into the MFA app with a biometrics ("what you are"), which is how I've got my app configured, because it only takes a second so why not have the extra factor as well?

The more secure way is to just prompt for the random token in the relevant section of the app, usually a six-digit number as part of the login process. That requires you sign into the app, open the relevant token, look up the code, and then enter it, which takes a bit longer but is clearly a process that you have initiated, and not some random "you need to reauthenticate" reminder which the bad actors here appear to have spammed their victim with. Alternatively, a few of mine work by appending the six-digit number to my password on login, combining two factors - "know" and "have" - into a single step, but that is definitely the minority case - I have only four of those, and they're all VPN / remote system access related.

Re:

[splutty]

*looks at keychain of RSA authenticators*

Yeah.. The OAuth I have on my phone is a godsent :P

Re:

[Zocalo]

My point was using a process of TOTP, which you have to initiate yourself, vs. simply periodically sending out re-authentication prompts, but your point isn't really valid. MD5 is weak too, but it's still used in checksums in conjuction with something else because generating a collision that satisfies both MD5 and SHA or whatever is vastly more difficult and quite probably impossible in practical situations. Sure, you *might* be able to craft files that let you do this, but the content will be dictated by

2.8Gigs?

[Kokuyo]

That's... not a lot...

But its HAAARD

[mrex]

MFA fatigue

How about next time that you get spammed with so many MFA requests you didn't make that you become "fatigued" dealing with them, that you OPEN AN INCIDENT WITH YOUR SECURITY TEAM?

Re:

[BrainJunkie]

Alternatively, people involved with designing security could recognize that when security measures and human nature collide, human nature eventually wins. Every single time. And by the very nature of this sort of thing it only takes the one time for there to be a problem.

MFA itself was born from that and nobody competent thought "this MFA thing has solved security exploits forever". This is an always has been an arms race.

Re:

[Gravis Zero]

How about next time that you get spammed with so many MFA requests you didn't make that you become "fatigued" dealing with them, that you OPEN AN INCIDENT WITH YOUR SECURITY TEAM?

And risk getting fired/chewed out? Are you expecting low-level employees to give a shit about a company that doesn't give a shit about them?

Sounds like our work VPN

[JonahsDad]

Our old work VPN used to try to auto-reconnect after a timeout, which turned into MFA notifications on my phone every few minutes if I forgot to disconnect manually. The first time it happened, I thought it was someone hacking my account. That may have been one of the reasons we changed VPN providers.

Dump source showing intentional backdoors

[AcidFnTonic]

Dump source showing intentional backdoors .

Anyone who knows Cisco knows that's what we're here to see. Every time a back door is discovered oddly enough once we discover a new one and then go back dating it through the iOS releases it always seems to appear right when the other back door got closed.

Over, and over, and over. As if these carrier grade systems have some kind of intentional government NSA meddling. The back doors-afloweth from this company.

So it wasn't ransomeware

[xaosflux]

Accessing someones credentials, copying files, and extorting the owner to prevent disclosure is bad and all - but none of this is "ransomware". Ransomeware is software that actually manages the situation and coordiantes the ransom. Ransomeware generally functions on the the availability or integrity of information, such as by encryption.

Re:

[splutty]

Nowhere does it say it was ransomware. Just that they've been hacked by a ransomware gang. Not the same thing.

Google is complicit

[Mononymous]

hijacking the employee's personal Google account containing credentials synced from their browser.

I do store passwords, but only on my computer. They're not synced anywhere, so you'd have to get physical access to get at them.
Sometimes security is more important than convenience.

2.75GB of data

[bustinbrains]

A rounding error produced the title. 2.8GB is a more salacious title than 2.75GB, but it is disingenuous! The next article that quotes this article will round up to 2.9GB, then the article that quotes that article will go to 3GB, then 3.5GB, and so on. Soon we'll get to nonsensical numbers like 50TB as everyone tries to one up their competitors and the titles stop reflecting anything resembling reality.

Oh wait, that's the natural result of Google Chrome and Mozilla Firefox non-semantic versioning. Never

Authenticator impersonation

[WaffleMonster]

MFA that does not protect against impersonating authenticators is not fit for purpose and should be rejected as insecure. This includes nearly ALL existing Email/SMS, APP and OTP schemes commonly deployed.

No surprise

[gweihir]

Cisco is simply incompetent with regards to IT security. Their products have made that clear for at least a decade. It is absolutely no surprise thar their corporate systems are no better.