Cisco Confirms It’s Been Hacked by Yanluowang Ransomware Gang

Networking equipment major Cisco on Wednesday confirmed it was
the victim of a cyberattack on May 24, 2022 after the attackers got
hold of an employee’s personal Google account that contained
passwords synced from their web browser.

“Initial access to the Cisco VPN was achieved via the successful
compromise of a Cisco employee’s personal Google account,” Cisco
Talos said^[1]
in a detailed write-up. “The user had enabled password syncing via
Google Chrome and had stored their Cisco credentials in their
browser, enabling that information to synchronize to their Google
account.”

The disclosure comes as cybercriminal actors associated with the
Yanluowang ransomware gang published a list of files^[2] from the breach to their
data leak site on August 10.

The exfiltrated information, according to Talos, included the
contents of a Box cloud storage folder that was associated with the
compromised employee’s account and is not believed to have included
any valuable data.

Besides the credential theft, there was also an additional
element of phishing wherein the adversary resorted to methods like
vishing (aka voice phishing) and multi-factor authentication (MFA)
fatigue to trick the victim into providing access to the VPN
client.

MFA fatigue or prompt bombing is the name given to a technique
used by threat actors to flood a user’s authentication app with
push notifications in hopes they will relent and therefore enable
an attacker to gain unauthorized access to an account.

“The attacker ultimately succeeded in achieving an MFA push
acceptance, granting them access to VPN in the context of the
targeted user,” Talos noted.

Upon establishing an initial foothold to the environment, the
attacker moved to enroll a series of new devices for MFA and
escalated to administrative privileges, giving them broad
permissions to login to several systems – an action that also
caught the attention of Cisco’s security teams.

The threat actor, which it attributed to an initial access
broker (IAB) with ties to the UNC2447 cybercrime gang, LAPSUS$^[3]
threat actor group, and Yanluowang ransomware operators, also took
steps to add their own backdoor accounts and persistence
mechanisms.

UNC2447, an “aggressive” financially motivated Russia-nexus
actor, was uncovered^[4]
in April 2021 exploiting a then zero-day flaw in SonicWall VPN to
drop FIVEHANDS ransomware.

Yanluowang, named after a Chinese deity^[5], is a ransomware variant
that has been used against corporations in the U.S., Brazil, and
Turkey since August 2021^[6]. Earlier this April, a
flaw in its encryption algorithm enabled Kaspersky to crack the malware^[7]
and offer a free decryptor to help victims.

Furthermore, the actor is said to have deployed a variety of
tools, including remote access utilities like LogMeIn and
TeamViewer, offensive security tools such as Cobalt Strike,
PowerSploit, Mimikatz, and Impacket aimed at increasing their level
of access to systems within the network.

“After establishing access to the VPN, the attacker then began
to use the compromised user account to logon to a large number of
systems before beginning to pivot further into the environment,” it
explained. “They moved into the Citrix environment, compromising a
series of Citrix servers and eventually obtained privileged access
to domain controllers.”

The threat actors were also subsequently observed moving files
between systems within the environment using Remote Desktop
Protocol (RDP) and Citrix by modifying host-based firewall
configurations, not to mention staging the toolset in directory
locations under the Public user profile on compromised hosts.

That said, no ransomware was deployed. “While we did not observe
ransomware deployment in this attack, the TTPs used were consistent
with ‘pre-ransomware activity,’ activity commonly observed leading
up to the deployment of ransomware in victim environments,” the
company said.

Cisco further noted that the attackers, after being booted off,
tried to establish email communications with the company executives
at least three times, urging them to pay and that “no one will know
about the incident and information leakage.” The email also
included a screenshot of the directory listing of the exfiltrated
Box folder.

Aside from initiating a company-wide password reset, the San
Jose-based firm stressed^[8]
the incident had no impact to its business operations or resulted
in unauthorized access to sensitive customer data, employee
information, and intellectual property, adding it “successfully
blocked attempts” to access its network since then.