Cisco on Sunday confirmed that the bad actors who had previously leaked Cisco data files to the dark web posted the actual contents of those files to the same location on the dark web.
In a blog post, Cisco said its previous analysis of the incident remained unchanged — the company said it continues to see no impact to its business. This includes Cisco products or services, sensitive customer data or employee information, intellectual property, supply chain operations.
The attack, which was previously identified as an initial access broker with ties to the UNC2447 gang, the Lapsus$ group, and Yanluowang ransomware operators, was originally discovered May 24. During the subsequent investigation by Cisco, the company learned that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
The threat actors posting some of their data online was probably an effort to establish their own credibility, and apparently doesn’t change Cisco’s initial assessment that the attack didn’t exfiltrate any sensitive data or do any extensive damage, said Mike Parkin, senior technical engineer at Vulcan Cyber. Parkin said while it’s possible they are downplaying the situation, the data the attacker revealed (mainly Windows NT Directory Services data) reinforces Cisco’s case.
“The deeper question is how effective Cisco’s information security team was at containing the breach and implementing policies to reduce the chance of it happening again,” Parkin said. “If history is any indication, they’ll have done a good job of both containment and mitigating the threat. But that doesn’t change that large vendors remain a primary target both for cybercriminal gangs and state-level malicious actors.”
Patrick Tiquet, vice president, security and architecture at Keeper Security, said while long-term authenticated sessions are convenient, they pose a risk if an attacker can gain control of a browser or application that’s pre-authenticated. Tiquet said this can lead to compromise of the account, or if used as an MFA method, compromise of MFA.
“Organizations should closely analyze the risk of each MFA method permitted for authentication, as not all MFA methods are equally effective or secure,” Tiquet said. “It’s difficult to detect attacks that appear as legitimate user activity. Attacks are constantly evolving and it’s important for all organizations to monitor the cybersecurity landscape and ensure they have the ability to detect and prevent the latest attack vectors.”
