Get in Touch
Cisco identifies security incident
Overview
The Yanluowang ransomware group claims to have hacked Cisco. In an update to their darknet ransom blog the group published a list of files, allegedly stolen from the company’s network.
Cisco has published a statement acknowledging the breach and denying any impact to their business. They also published a technical blog post with details of the attack.
At this time there is no evidence that the malicious actors gained access to customer data, products or services.
Impact
The threat actor initially gained access to a personal Google account which allowed them to access the victim’s saved browser credentials, including a saved VPN password. The VPN required multi-factor authentication (MFA) so they used voice phishing attacks to convince the user to confirm the MFA push alert.
Once connected to the network, they took actions to maintain access and escalate their privileges to allow lateral movement. This alerted Cisco’s incident response (IR) team and the threat actors weren’t able to reconnect after being removed from the environment.
Affected Products
There’s no evidence that any Cisco products were affected.
Containment, Mitigations & Remediations
Although they were ultimately successful in connecting to the network, MFA made it more difficult for the threat actor to access the VPN and MFA should be enabled whenever possible. The “MFA prompt fatigue” attack could be mitigated with a hardware based MFA token or with a lockout policy.
Cisco, being a network security company, had strong segmentation controls in place, which meant that once the actor was on the network they were still restricted in what they could access.
Centralised log collection gave the IR team visibility even when the attacker took steps to hide their activity and this is why we advise customers to protect their logs externally.
Google Chrome profiles can be used to secure browsers and prevent personal accounts from being entered. Additionally a dedicated password manager would have been more secure than using Chrome’s built-in password manager. Therefore, the use of a dedicated password manager is strongly advised to reduce risk of similar attacks.
Indicators of Compromise
sha 256 hashes
184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3
2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03
542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d
61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610
753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647
8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a
8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190
99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f
bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7
eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18
IP addresses 104.131.30[.]201 108.191.224[.]47 131.150.216[.]118 134.209.88[.]140 138.68.227[.]71 139.177.192[.]145 139.60.160[.]20 139.60.161[.]99 143.198.110[.]248 143.198.131[.]210 159.65.246[.]188 161.35.137[.]163 162.33.177[.]27 162.33.178[.]244 162.33.179[.]17 165.227.219[.]211 165.227.23[.]218 165.232.154[.]73 166.205.190[.]23 167.99.160[.]91 172.56.42[.]39 172.58.220[.]52 172.58.239[.]34 174.205.239[.]164 176.59.109[.]115 178.128.171[.]206 185.220.100[.]244 185.220.101[.]10 185.220.101[.]13 185.220.101[.]15 185.220.101[.]16 185.220.101[.]2 185.220.101[.]20 185.220.101[.]34 185.220.101[.]45 185.220.101[.]6 185.220.101[.]65 185.220.101[.]73 185.220.101[.]79 185.220.102[.]242 185.220.102[.]250 192.241.133[.]130 194.165.16[.]98 195.149.87[.]136 24.6.144[.]43 45.145.67[.]170 45.227.255[.]215 45.32.141[.]138 45.32.228[.]189 45.32.228[.]190 45.55.36[.]143 45.61.136[.]207 45.61.136[.]5 45.61.136[.]83 46.161.27[.]117 5.165.200[.]7 52.154.0[.]241 64.227.0[.]177 64.4.238[.]56 65.188.102[.]43 66.42.97[.]210 67.171.114[.]251 68.183.200[.]63 68.46.232[.]60 73.153.192[.]98 74.119.194[.]203 74.119.194[.]4 76.22.236[.]142 82.116.32[.]77 87.251.67[.]41 94.142.241[.]194
Domains cisco-help[.]cf cisco-helpdesk[.]cf ciscovpn1[.]com ciscovpn2[.]com ciscovpn3[.]com devcisco[.]com devciscoprograms[.]com helpzonecisco[.]com kazaboldu[.]net mycisco[.]cf mycisco[.]gq mycisco-helpdesk[.]ml primecisco[.]com pwresetcisco[.]com Email address costacancordia[@]protonmail[.]com
Threat Landscape
A vendor like Cisco is a valuable target for access to their own product development information but also as part of a supply-chain attack against other organisations. If the actor had been able to access customer secrets or information on software vulnerabilities, they’d be able to pivot to other organisations. Cisco Security Incident Response (CSIRT) found no evidence that critical systems such as product development or code signing have been affected.
Mitre Methodologies
Initial Access
T1566 – Phishing
T1078 – Valid Accounts
Execution
T1569.002 – System Services: Service Execution
Persistence
T1136.001 – Create Account: Local Account
T1098.005 – Account Manipulation: Device Registration
Privilege Escalation
T1546.012 – Event Triggered Execution: Image File Execution Options Injection
Defense Evasion
T1070 – Indicator Removal on Host
T1070.001 – Indicator Removal on Host: Clear Windows Event Logs
T1036.005 – Masquerading: Match Legitimate Name or Location
T1562.004 – Impair Defences: Disable or Modify System Firewall
T1112 – Modify Registry
Credential Access
T1003.001 – OS Credential Dumping: LSASS Memory
T1003.002 – OS Credential Dumping: Security Account Manager
T1003.003 – OS Credential Dumping: NTDS
T1621 – Multi-Factor Authentication Request Generation
Lateral Movement
T1012 – Remote Services
Discovery
T1012 – Query Registry
Command and Control
T1071.001 – Application Layer Protocol: Web Protocols
T1219 – Remote Access Software
T1573.002 – ATT&CK Technique: Encrypted Channel: Asymmetric Cryptography
T1090.003 – Proxy: Multi-hop Proxy
Exfiltration
T1048 – Exfiltration Over Alternative Protocol
Further Information
Cisco Talos shares insights related to recent cyber-attack on Cisco