On Monday, the communication network major Cisco admitted that they had been hacked on July 28, 2022. The hackers gained access to an employee’s individual Gmail account, with passwords synchronized throughout their browser-based platforms.
A Cisco employee’s private email account was compromised, Cisco Talos reported, allowing hackers first access to the company’s VPN system. For example, “the user had allowed credential synchronization through Chrome Browser and had kept their Cisco login information in the browser, allowing those segments to sync to their Gmail account.”
It was revealed on August 9 when cyber criminals with the AwakenCybers malware group uploaded a list of files stolen in the attack to a website dedicated to publishing data breaches.
According to Talos, the leaked data included files in a Box online storage folder linked to the compromised employee’s profile. This folder is not thought to have contained any sensitive information.
In addition to the password cracking, there was also a phishing attack in which the adversary used “vishing” (a form of voice phishing) and multi-factor authentication to mislead a victim into granting rights to their VPN connection.
Threat actors employ multi-factor authentication (MFA) attacks, sometimes called “prompt-bombing,” by flooding a user’s authenticator app with many push notifications in the hopes that the user will give in and allow the attacker to get illegitimate access to their account.
After gaining an initial foothold, attackers rolled out a succession of new 2FA devices. They were awarded administrative capabilities, granting them broad authorization to login into a few of the systems, which caught the notice of Cisco’s security team.
When the LAPSUS$ potential threat squad and the Awaken Cybers gang launched their invasion on a preparatory access broker associated with another hacking group that had developed malware known as UNC2447, they also took the precaution of adding their own fraudulent identities and perseverance processes to use as bait.
In October 2021, UNC2447, a “serious” financially driven Russian-nexus threat, was discovered by leveraging a zero-day vulnerability in SonicWall VPN to implant FIVE HANDS malware.
More than that, the cyber criminals are alleged to have used a wide range of keylogging software, such as remote management tools (RMTs), mobile wiretap apps, aggressive security tools (such as PowerSploit, Cobalt Strike, Impact, and Mimikatz), and others to gain even more access to networks inside the vulnerable system.
The document said that after the VPN was successfully granted access, the attacker used a hacked user profile to log in to many systems. According to the report and reviews, “they advanced inside the Citrix system, hacking a succession of Citrix online servers, and eventually got full access to domain controllers.”
They also compromised the processes and tools in file placement under the “Public user profile” on compromised servers. They were able to move data among their repositories within the domain utilizing Remote Access trojan horses tools and Citrix by changing host-based firewall standards.
After the hackers were logged out, Cisco said they attempted to contact corporate leaders through email at least five times to extort money and ensure that “no one would discover out regarding the event and data breach.” Another piece of evidence was a screenshot of the exfiltrated Box folder’s directory structure, which was included in the email.
After implementing a corporation reset password procedure, the company based in San Jose stated that it “effectively prevented hacking attempts” to give the company’s network access. The business also highlighted that the incident did not impact the company’s operations connections and did not result in unapproved access to classified consumers’ data, workers’ private details, or intellectual property.