Cisco: More Company data stolen in Yanluowang ransomware attack made public

Sicherheit (Pexels, allgemeine Nutzung)[German]US vendor Cisco was, after all, the victim of a ransomware attack by the Yanluowang group, which was also made public. Now, the group has started to publish data of the company that was captured during this attack. Cisco has since issued a statement on this new release. So far, there are no findings that very sensitive data impacting the company's business was captured or published.


Review: The Yanluowang ransomware attack

I had reported it in August 2022 in the blog post Cisco admits hack (in May 2022) and publishes details. US vendor Cisco was the victim of a cyberattack in May 2022. The first access to the Cisco VPN was through the successful compromise of a Cisco employee's personal Google account. The user had enabled password synchronization via Google Chrome and stored his Cisco credentials in his browser, allowing that information to be synchronized with his Google account.

The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations, trying to convince the victim to accept attacker-initiated push notifications for multi-factor authentication (MFA). By the end of the day, the Yanluowang Group attackers managed to penetrate the company's IT infrastructure.

I had reported that the attackers compromised a number of Citrix servers and eventually gained privileged access to domain controllers. As of Aug. 10, 2022, Cisco has made this attack public – in part because the attackers published captured information. From Cisco Talos, it said that the Cisco security team became aware of the attacks early on and was able to observe the attacker (Yanluowang ransomware gang) as it conducted its activities. Quote:

Cisco confirmed that the only successful data exfiltration that occurred during the attack included the contents of a box folder associated with a compromised employee's account and the employee's authentication credentials from Active Directory. The box data obtained by the attacker in this case was not sensitive.

These statements were based on the list of files from this security incident published by the attacker on the dark web. The details can be read in this CISCO post. Cisco has published an FAQ about the incident here.

Cisco confirms data leak

I see from the following tweet that the Yanluowang group is publishing more files captured in the attack. The article here states that a total of 55 GB of data was siphoned by the Yanluowang ransomware in the above cyber attack. Bleeping Computer informed the cyber criminals that they stole thousands of files with a total size of 55 GB, including secret documents, technical plans and source code. Bleeping Computer received a screenshot that was supposed to prove that the files of a development environment could be seen – which could not actually be verified.


Cisco Yanluowang Ransomware Group Data

On September 11, 2022, Cisco Talos published an update to its article on the cyber attack (as well as this article). It states that the perpetrators published files on the dark web on September 11, 2022. Those files matched the published list of filenames from the security incident. Cisco states that the content of these files matched what they had already identified and published. 

Cisco's assessment to date, the company says, shows that this incident had no impact on Cisco goods or services, customer data, employee information, intellectual property or supply chain operations. Preliminary conclusion: yes, Cisco was tricked by the ransomware group and the attackers were able to penetrate the IT network to even take over a domain controller. But the captured data did not prove critical enough to impact products or services, as well as trade secrets or relationships with suppliers or customers. It remains exciting to see whether Cisco will have to correct itself regarding its assessment at the end of the day – or whether the ransomware gang's announcements was just hot air.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *