Cisco has pushed back on claims it has been breached in a new ransomware attack after a threat actor exposed sensitive information allegedly stolen from the firm’s internal network.
The Kraken ransomware group posted the information, which according to reporting by Cyber Press contained credentials linked to Cisco’s Windows Active Directory environment, to its dark web leak site.
This data was said to include privileged administrator accounts, NTLM hashed passwords, as well as the domain’s Kerberos Ticket Granting account that could have been leveraged to forge authentication tickets.
The post was accompanied with a threat of potential future attacks on the network and security giant and a suggestion that Cisco had been attempting to remove the group from the network unsuccessfully.
Jamie Akhtar, CEO and co-founder of CyberSmart, outlined the potential damage cyber criminals could inflict leveraging the sensitive information the Kraken group claimed to have taken.
“Hypothetically, the data leaked could allow cyber criminals to do a number of potentially damaging things. For example, the domain controller credentials could allow hackers to escalate privileges within Cisco’s network, more across networks within its wider infrastructure, and access and steal sensitive data.”
But Cisco has issued a statement claiming the ‘exposed’ credentials were taken from a historic data breach which occurred around two and a half years ago.
"Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation there was no impact to our customers."
Cisco breach incident dates back to 2022
During the incident in question, attackers took control of a personal Google account that had Cisco employee credentials, according to a Cisco report on the attack published in August 2022.
After conducting a series of advanced voice phishing (vishing) attacks to bypass MFA protections, the attacker was able to gain access to the target user’s VPN.
Once they gained initial access, the attacker looked to establish persistence on the network while evading detections and escalate their privileges.
RELATED WHITEPAPER
Cisco said it was able to successfully remove the intruder, who made a series of unsuccessful attempts at regaining access in the following weeks.
It added that its CSRIT and Talos teams did not identify any evidence to suggest the attacker was able to access ‘critical internal systems’ such as its production environment or code signing architecture, for example.
At the time, Cisco declared it believed the culprit to be an initial access broker (IAB) linked to the group tracked by Mandiant as UNC2447, known for its use of the FiveHands malware, as well as the Lapus$ threat collective and the Yanluowang ransomware operation.
MORE FROM ITPRO
- AI cybersecurity robs attackers of their advantage, Cisco claims
- Cisco just launched a $1bn investment fund for AI startups
- Integration, everywhere, all at once at Cisco Live 2024
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Cisco is jailbreaking AI models so you don’t have to worry about itNews Cisco's new AI Defense security solution helps organizations shore up LLM security by identifying potential flaws.
-
Cisco patches critical flaws in Identity Services EngineNews Cisco has issued patches for a pair of critical vulnerabilities affecting its Identity Service Engine (ISE).
-
Your office is now absolutely riddled with surveillance equipmentNews While workplace monitoring is shown to have a detrimental effect on morale, many firms are still charging ahead
-
Cisco confirms attackers stole data, shuts down access to compromised DevHub environmentNews The tech giant insists that no sensitive customer information has been compromised
-
Cisco confirms investigation amid data breach claimsNews The networking giant says its probe is ongoing amid claims a threat actors accessed company data
-
Rubrik partners with Cisco to bolster cyber resilience
News Rubrik now integrates with Cisco XDR and is listed on the connectivity giant’s SolutionsPlus program
-
Cisco: “AI is changing everything” – including securityNews Cisco has unveiled a series of updates to its security and monitoring software
