Cisco Shares Data Breach From May 2022
Industry: Technology | Level: Tactical | Source: Cisco Talos
Cisco has disclosed the company's corporate network was breached on May 24th, 2022. They have provided an in-depth technical summary, documenting details of the breach to share and help protect the community. The breach was identified to have occurred as the threat actors obtained a Cisco employee's credentials "after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized." To bypass MFA, the threat actors initiated a compelling series of phishing attacks involving both MFA fatigue and voice phishing to achieve MFA push acceptance enabling the attacker access to the company's VPN. The attacker was able to enroll their own device for MFA, elevate their permissions to the administrator, and drop payloads for multiple tools including remote access with LogMeIn, and TeamViewer, as well as offensive tools such as Cobalt Strike and Mimikatz. Post-compromise activity involved the attackers initiating reconnaissance using native windows tools. The activity appeared to be manual as various typos were observed. The attackers managed to obtain access to domain controllers and dump credentials with ntdsutil.exe. Additional credentials were obtained from saving registry information and dumping LSASS with comsvcs. The attacker created a user account in the administrator’s group only to delete the account later. Additional clean-up activities included clearing Windows event logs with wevtutil.exe. Lateral movement was achieved by the threat actor modifying firewall rules and enabling RDP access. Cisco's attribution of the attack points to an initial access broker having an association with UNC2447 and Lapsus$, based on the TTPs observed in the attack. However, Yanluowang ransomware posted on their data leak site on August 10th, 2022, claiming responsibility for the hack, stating "hot news straight from Cisco Time's up!" The ransomware group alleges to have stolen 2.75GB of data, and sensitive data such as non-disclosure agreements (NDA) and engineering schematics. As reported by BleepingComputer, the threat actor sent the technology news site a redacted NDA document as proof of the attack. Cisco's report shared they did not find evidence of ransomware deployment.
- Yanluowang: Post-Compromise Activity from Domain Controllers
Anvilogic Use Cases:
- NTDSUtil.exe execution
- comsvcs.dll Lsass Memory Dump
- Clear Windows Event Logs