Cisco shared on its website Wednesday that it identified a security incident targeting its corporate IT infrastructure on May 24, saying it took immediate action to remediate the impact and has since hardened its IT environment.
Also on Wednesday on its security blog on Cisco Talos, the company’s security team said an employee’s credentials were compromised after an attacker gained control of a Google account where credentials saved in the victim’s browser were synched.
Using a series of sophisticated voice phishing attacks, the victim eventually accepted multi-factor authentication (MFA) push notifications made by the attacker, which granted access to the VPN of the victim.
The security team posted that the attacker did not gain access to critical systems, but tried to give themselves the ability to maintain and increase their access to systems before being successfully removed. The attacker has been observed repeatedly trying to regain access in the weeks following the attack, but were unsuccessful.
In its assessment, the incident response team said they were fairly confident the attacker was an initial access broker with ties to the UNC2447, Lapsus$ and Yanluowang threat groups. Globant, Microsoft Azure, Nvidia and Okta are among victims of the Lapsus$ ransomware group, according to CyberRisk Alliance partner MSSPAlert.
Yanis Zinchenko, a security expert at Kaspersky, said Kaspersky analyzed Yanluowang’s malware in April and was able to create a file decryptor to help victims recover their information, adding that it is important for businesses to follow basic security principles to stay protected and minimize the potential financial and reputational losses associated with a ransomware attack.