Home / About / Threat Intelligence / Cisco identifies security incident

Overview

The Yanluowang ransomware group claims to have hacked Cisco. In an update to their darknet ransom blog the group published a list of files, allegedly stolen from the company’s network.

Cisco has published a statement acknowledging the breach and denying any impact to their business. They also published a technical blog post with details of the attack.

At this time there is no evidence that the malicious actors gained access to customer data, products or services.

Impact

The threat actor initially gained access to a personal Google account which allowed them to access the victim’s saved browser credentials, including a saved VPN password. The VPN required multi-factor authentication (MFA) so they used voice phishing attacks to convince the user to confirm the MFA push alert.

Once connected to the network, they took actions to maintain access and escalate their privileges to allow lateral movement. This alerted Cisco’s incident response (IR) team and the threat actors weren’t able to reconnect after being removed from the environment.

Affected Products

There’s no evidence that any Cisco products were affected.

Containment, Mitigations & Remediations

Although they were ultimately successful in connecting to the network, MFA made it more difficult for the threat actor to access the VPN and MFA should be enabled whenever possible. The “MFA prompt fatigue” attack could be mitigated with a hardware based MFA token or with a lockout policy.

Cisco, being a network security company, had strong segmentation controls in place, which meant that once the actor was on the network they were still restricted in what they could access.

Centralised log collection gave the IR team visibility even when the attacker took steps to hide their activity and this is why we advise customers to protect their logs externally.

Google Chrome profiles can be used to secure browsers and prevent personal accounts from being entered. Additionally a dedicated password manager would have been more secure than using Chrome’s built-in password manager. Therefore, the use of a dedicated password manager is strongly advised to reduce risk of similar attacks.

Indicators of Compromise

sha 256 hashes
184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3 
2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03 
542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d 
61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610 
753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647 
8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a 
8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190 
99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f 
bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7 
eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18 
IP addresses
104.131.30[.]201 
108.191.224[.]47 
131.150.216[.]118 
134.209.88[.]140 
138.68.227[.]71 
139.177.192[.]145 
139.60.160[.]20 
139.60.161[.]99 
143.198.110[.]248 
143.198.131[.]210 
159.65.246[.]188 
161.35.137[.]163 
162.33.177[.]27 
162.33.178[.]244 
162.33.179[.]17 
165.227.219[.]211 
165.227.23[.]218 
165.232.154[.]73 
166.205.190[.]23 
167.99.160[.]91 
172.56.42[.]39 
172.58.220[.]52 
172.58.239[.]34 
174.205.239[.]164 
176.59.109[.]115 
178.128.171[.]206 
185.220.100[.]244 
185.220.101[.]10 
185.220.101[.]13 
185.220.101[.]15 
185.220.101[.]16 
185.220.101[.]2 
185.220.101[.]20 
185.220.101[.]34 
185.220.101[.]45 
185.220.101[.]6 
185.220.101[.]65 
185.220.101[.]73 
185.220.101[.]79 
185.220.102[.]242 
185.220.102[.]250 
192.241.133[.]130 
194.165.16[.]98 
195.149.87[.]136 
24.6.144[.]43 
45.145.67[.]170 
45.227.255[.]215 
45.32.141[.]138 
45.32.228[.]189 
45.32.228[.]190 
45.55.36[.]143 
45.61.136[.]207 
45.61.136[.]5 
45.61.136[.]83 
46.161.27[.]117 
5.165.200[.]7 
52.154.0[.]241 
64.227.0[.]177 
64.4.238[.]56 
65.188.102[.]43 
66.42.97[.]210 
67.171.114[.]251 
68.183.200[.]63 
68.46.232[.]60 
73.153.192[.]98 
74.119.194[.]203 
74.119.194[.]4 
76.22.236[.]142 
82.116.32[.]77 
87.251.67[.]41 
94.142.241[.]194  
Domains
cisco-help[.]cf 
cisco-helpdesk[.]cf 
ciscovpn1[.]com 
ciscovpn2[.]com 
ciscovpn3[.]com 
devcisco[.]com 
devciscoprograms[.]com 
helpzonecisco[.]com 
kazaboldu[.]net 
mycisco[.]cf 
mycisco[.]gq 
mycisco-helpdesk[.]ml 
primecisco[.]com 
pwresetcisco[.]com  

Email address
costacancordia[@]protonmail[.]com

 

Threat Landscape

A vendor like Cisco is a valuable target for access to their own product development information but also as part of a supply-chain attack against other organisations. If the actor had been able to access customer secrets or information on software vulnerabilities, they’d be able to pivot to other organisations. Cisco Security Incident Response (CSIRT) found no evidence that critical systems such as product development or code signing have been affected.

Mitre Methodologies

Initial Access

T1566 – Phishing

T1078 – Valid Accounts

Execution

T1569.002 – System Services: Service Execution

Persistence

T1136.001 – Create Account: Local Account

T1098.005 – Account Manipulation: Device Registration

Privilege Escalation

T1546.012 – Event Triggered Execution: Image File Execution Options Injection

Defense Evasion

T1070 – Indicator Removal on Host

T1070.001 – Indicator Removal on Host: Clear Windows Event Logs

T1036.005 – Masquerading: Match Legitimate Name or Location

T1562.004 – Impair Defences: Disable or Modify System Firewall

T1112 – Modify Registry

Credential Access

T1003.001 – OS Credential Dumping: LSASS Memory

T1003.002 – OS Credential Dumping: Security Account Manager

T1003.003 – OS Credential Dumping: NTDS

T1621 – Multi-Factor Authentication Request Generation

Lateral Movement

T1012 – Remote Services

Discovery

T1012 – Query Registry

Command and Control

T1071.001 – Application Layer Protocol: Web Protocols

T1219 – Remote Access Software

T1573.002 – ATT&CK Technique: Encrypted Channel: Asymmetric Cryptography

T1090.003 – Proxy: Multi-hop Proxy

Exfiltration

T1048 – Exfiltration Over Alternative Protocol

Further Information

Cisco Talos shares insights related to recent cyber-attack on Cisco

Cisco Event Response: Corporate Network Security Incident