How Did Cisco Get Hacked, What Was Leaked, and What Did We Learn?

1-Is Cisco really hacked?

Yanluowang shared Cisco’s profile on their leak site and claimed the attack.

On Tuesday evening, August 10, the Yanluowang ransomware group (linked to Lapsus$ extortion group) claimed to have hacked Cisco and will release its files. Two hours after this claim, Cisco published a detailed statement about the case on its official blog. Cisco has announced that it has experienced a partial cyber incident through an employee, albeit late. The detection date of the attack was stated as May 24, 2022.

In this short informative article, you’ll find the answers of how Cisco was hacked and what lessons can be learned from this attack.

2-How did the incident take place? What is the initial access vector?

According to the published blog post, threat actors seized the personal Google account of a Cisco employee -probably by a stealer log- and attempted to log in to the systems using the password to the corporate network. Then, with this account information, remote access was obtained via VPN to the systems.

Following initial access, the threat actor registered new devices for MFA and verified their identity with the Cisco VPN. The Citrix environment was compromised, and the attacker elevated administrative privileges and gained privileged access to domain controllers. The threat actor dropped several tools and payloads to carry out malicious activity.

The first payload is a backdoor that receives instructions from the C2 server and uses the Windows Command Processor to carry them out on the target system. There are two commands included in backdoors for stealth: one of them is the WIPE command, which wipes the last executed command from memory through the backdoor, and the other command is DELETE_SELF, which deletes the backdoor.

Threat actors dumped NTDS from controllers using ntdsutil[.]exe, then exfiltrated the dumped NTDS to the compromised VPN system. This way, they accessed credential databases and were able to move laterally in the network. Using the net[.]exe commands of Windows, a new administrative user named z was created and added to the local admin group.

Adding administrative user (Source: Cisco Talos)

The created user was used to deploy enumeration tools like AdFind and SecretsDump to gather more information.

The attacker deleted the previously established local administrator account and event logs to erase the evidence.

It was observed that they installed RAT tools like TeamViewer and LogMeIn and enabled RDP access to move files inside the environment.

Enabling RDP access (Source: Cisco Talos)

Windows logon bypass was leveraged to maintain a presence in the system with elevated privileges. Registry keys were added remotely using PSEXESVC[.]exe.

The threat actors tried to exfiltrate data during their presence. They could only exfiltrate non-sensitive Box folder data linked to a compromised employee account.

Their efforts to gain access persisted after Cisco completely removed them from the environment. They then tried to communicate via email and sent Cisco a screenshot of exfiltrated Box data.

Threat actors tried to communicate via email and sent Cisco a screenshot of exfiltrated Box data.

If you want to find out if the corporate accounts have been shared on the Dark Web, you can use SOCRadar’s free Deep Web Report service.

3-Cisco doesn’t use multi-factor authentication? How could it be circumvented?

By using voice phishing and similar MFA (multi-factor authentication) bypass techniques, the attacker group managed to receive/confirm the verification code received by the user. With this method, it has completed VPN access to the network.

Check here for detailed information on the commonly used MFA Fatigue method to bypass multi-factor authentication.

4-Did threat actors access internal systems and source codes?

After obtaining VPN access, the attacker took over the active directory accounts, tried to put them on the internet, and was successful. Cybersecurity experts think that the attacker who took over the active directory administrator account may have access to many different systems.

5-Which threat actors might have carried out this sophisticated attack?

Allegedly, UNC2447, Lapsus$, and Yanluowang ransomware group may be the actors behind this attack. The threat actor that announced that it would release the data is the Yanluowang ransomware group.

6-What are the tools and TTPs used in the attack?

The tools used in the attack are not much different from what the attackers have used frequently for the past five years.

In addition to LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket are used by attackers. The TTPs of threat actors are as follows.

Initial Access

Execution

ATT&CK Technique: System Services: Service Execution (T1569.002)

Persistence

Privilege Escalation

ATT&CK Technique: Event Triggered Execution: Image File Execution Options Injection (T1546.012)

Credential Access

Lateral Movement

ATT&CK Technique: Remote Services (T1021)

Discovery

ATT&CK Technique: Query Registry (T1012)

Command and Control

Exfiltration

ATT&CK Technique: Exfiltration Over Alternative Protocol (T1048)

7-What should we do for not to be affected by this event?

According to the analysis published by Cisco, only the files of the relevant employee and the account information of Cisco employees (information registered in the domain) seem to have been leaked. Although Cisco has updated all account information, cybersecurity experts recommend that you switch off these connections for a short time (one week). It advises not to open the relevant accounts without receiving a mail from Cisco that the passwords have been changed.

8-What can we do to avoid a similar security breach?

Ban requests from anonymization systems such as TOR at the Gateway level.
Test alerts to SOC teams by writing strict SIEM rules for suspicious activity for systems using MFA.
Actively use Dark Web monitoring and Threat Intelligence systems against stolen accounts.
Monitor your systems for suspicious activities 24/7.
Conduct cyber drills to be prepared for potential attacks.

9-How can a reliable cybersecurity company like Cisco be hacked? Should we stop receiving services from Cisco?

With the expanding attack surface, every firm with a size above a certain scale will likely encounter similar results. Because attackers have accumulated more data than ever before to attack organizations. This attack is slightly different from the attacks we’ve seen before.

Using the browser sync feature, the personal account was directly accessed, and corporate information was obtained from it. Although MFA is active in the corporate account of the Cisco employee, it is understood that not used in the personal account.

Using MFA is strongly suggested by security experts. This incident shows that cybersecurity is a process, not a goal. It should be kept in mind that cyber attackers develop a solution for every measure taken.