Networking giant Cisco is the latest company to find itself the victim of ransomware hackers who have reportedly been targeting its virtual private network (VPN) products to breach corporate networks and steal data. Akira ransomware operators have allegedly used hacked Cisco VPN accounts to breach business networks and access privileged credentials, which can then be used to launch more sophisticated attacks.
This attack is a reminder of the importance of multi-factor authentication (MFA) and password hygiene, which should be a priority for any business using Cisco products, says security consultant Mike Mikel. “Any business that has employees connecting to its VPN needs to have MFA enabled and should be implementing policies against password reuse as well,” Mikel said. “Multi-factor authentication is the best way to prevent these types of attacks from occurring.”
The attackers gained access to a Cisco employee’s account by taking control of the victim’s personal Google account, whose credentials were saved in Chrome and had been synchronized. The threat actors then used voice phishing techniques to trick the victim into accepting MFA push notifications initiated by them, eventually gaining access to the victim’s Cisco VPN in their context.
From there, they were able to use the stolen credentials to gain a foothold in the corporate network and subsequently launched more sophisticated attacks, including gaining administrative privileges on multiple systems. Cisco’s CSIRT team was alerted to the breach and forced the attackers to move on, but not before they had successfully exfiltrated nonsensitive data from a Box folder associated with a compromised employee account and had access to other active directory information, including employee authentication details.
Cisco notified affected customers and partners of the breach and published more details on its Talos blog post on Aug. 10, the day after ransomware gang Yanluowang posted data from the incident on its leak site. The company has since confirmed that the leaked files are authentic and a result of the May intrusion.
The Cisco CSIRT post notes that the attack involved the use of several tools, including remote access software like LogMeIn and TeamViewer, offensive cybersecurity tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, plus custom backdoors and persistence mechanisms. It also noted that the hackers were able to maintain their access by avoiding triggering alerts by logging in and out of the VPN often, as well as keeping activity low by not using excessive CPU resources or consuming too much bandwidth.
Cisco said that while it was disappointed by the attack, none of its products, services, sensitive customer or employee data, intellectual property, or supply chain operations were impacted. The company has now updated its cybersecurity products with intelligence gleaned from observing the attackers’ techniques, and is working with law enforcement authorities to pursue the suspects.