INTRODUCTION:

Cisco, a leading network gear, confirmed a cyber-security lapse caused by the “successful intrusion” of an employee’s personal Google account that had their web browser’s saved credentials in it. In late May, the Yanluowang ransomware gang compromised its business network, and the actor attempted to extort money from them by threatening to post stolen information online. Under the guise of several trustworthy organizations, the attacker launched a series of sophisticated voice phishing attacks to persuade the user to authorize multi-factor authentication (MFA) push notifications triggered by the attacker. Cisco stated that it quickly executed a company-wide password reset after learning about the occurrence. The organization observed no ransomware deployment with this incident.

 

ATTACK PROCESS:

Cisco discovered a security breach targeting Cisco corporate IT infrastructure on May 24, 2022, and took immediate measures to confine and eliminate the bad actors. As said by Cisco, the intruder targeted one of its employees and only stole files from a Box folder affiliated with that employee’s account and employee login data from Active Directory.

The successful intrusion of a Cisco employee’s personal Google account provided initial access to the Cisco VPN. The user has allowed password syncing in Google Chrome and saved their Cisco credentials in the browser, allowing that information to sync to their Google account. After getting the user’s credentials, the attacker attempted to circumvent MFA(multi-factor authentication) using a variety of approaches, including voice phishing (aka “vishing”) and MFA fatigue, which is the practice of sending a high volume of push requests to the target’s mobile device until the user accepts, either mistakenly or simply to mute the frequent push notifications they are receiving. Vishing is a social engineering tactic as attackers use it more frequently to get employees to hand over critical information over the phone.

In this case, a staff member reported receiving numerous calls over many days from individuals who spoke English with various regional accents and dialects and claimed as affiliated with support organizations that the user trusted. After gaining initial access, the attacker registered several new devices for MFA and successfully authenticated to the Cisco VPN. The attacker then gained administrative access, allowing them to log in to many systems, triggering an alert to the Cisco Security Event Response Team (CSIRT), which responded to the incident. The offensive actor dropped several tools, including offensive security tools like Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and remote access tools like LogMeIn and TeamViewer then introduced their backdoor accounts and persistence mechanisms. Then they proceeded into the Citrix environment, compromised several Citrix servers, and eventually gained privileged access to domain controllers.

When the attacker gained access to the domain controllers, he began attempts to dump NTDS from them using “ntdsutil.exe.” They then worked to transfer the dumped NTDS from the domain controller to the VPN system under their control via SMB (TCP/445). The attacker was detected using machine accounts for privileged authentication and lateral movement around the environment after gaining access to credential databases. Consistent with earlier behavior identified in other distinct but similar operations, the adversary created an administrator user called “z” on the machine using the built-in Windows “net.exe” commands. This account is been assigned to the local Administrators group. In some cases, the threat actor has modified the passwords of existing local user accounts.

Several payloads were dropped onto systems by the attacker. The first payload is a simple backdoor that accepts orders from a command and control (C2) server and executes them on the end system via the Windows Command Processor. The commands are sent as JSON blobs, which is usual for a backdoor. There is a command called “DELETE SELF” that entirely removes the backdoor from the system. A second, more intriguing command, “WIPE,” commands the backdoor to erase the memory of the previous command, probably to impair forensic examination of any afflicted hosts.

Based on the documented tactics, methods, and procedures (TTP) and a detailed study of the backdoor used in this attack, Cisco determined that this attack was carried out by an adversary previously recognized as an initial access broker (IAB) having a connection to the operators of the UNC2447, Lapsus$, and Yanluowang ransomware gang.

 

IMPACT:

The attacker attempted to steal data from the environment during the attack. Cisco stated that the only successful data exfiltration during the attack were just the contents of a Box folder connected with a compromised employee’s account and active directory employee login data. The Box data received by the adversary in this situation was not sensitive.

Indeed, the Yanluowang ransomware organization has claimed responsibility for the attack, alleged to have stolen approximately 3,000 files comprising 2.8Gb. The file names revealed by the hackers indicate that they have stolen VPN clients, source codes, NDAs, and other data.

Cisco further stated that, although the Yanluowang gang is infamous for encrypting their victims’ files, it detected no evidence of ransomware payloads during the attack. There are no traces of ransomware deployment in this attack. The TTPs used were consistent with ‘pre-ransomware behavior,’ often detected before ransomware distribution in victim environments.

“As a result of this event, Cisco has identified no effect to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain activities,” Cisco stated.

 

REMEDIATION:

Cisco discovered and suspended the attackers from its environment, but they attempted to recover access in the weeks following the attack, but were unsuccessful.”

Upon learning about the occurrence, Cisco promptly executed a company-wide password change. Cisco developed two new ClamAV detections (Win.Exploit.Kolobko-9950675-0, and Win.Backdoor.Kolobko-9950676-0) for the backdoor and a Windows exploit used for privilege elevation to assist network administrators and security experts in finding the malware used in the attack.

• User education is critical in repelling such assaults, including ensuring that employees understand the proper methods by which support personnel will contact users so that employees can spot fraudulent attempts to collect sensitive information.
• Strong device verification is advantageous by implementing higher controls over device status to limit or block enrolment and access from unmanaged or unknown devices.
• Before authorizing VPN connections from remote endpoints, ensure that posture checking is configured to enforce a baseline set of security constraints. It guarantees that the connecting devices meet the security standards of the system. Additionally, it can stop unauthorized devices from connecting to the corporate network environment.
• Another essential security measure that enterprises should implement is network segmentation, which provides better protection for high-value assets, thus providing more effective detection and response capabilities in case an adversary gains initial access to the environment.
• Centralized log collecting can minimize the lack of visibility that arises when an attacker actively removes logs from systems. Ensuring that endpoint log data is collected centrally and evaluated for abnormal or openly hostile behavior might provide early warning when an attack is underway.
• Auditing command line execution on endpoints can also provide more insight into actions performed on computers in the environment and is able to detect suspicious execution of built-in Windows utilities, which is frequent during intrusions as threat actors rely on benign apps or utilities already existing in the environment for enumeration, privilege escalation, and lateral movement activities.