[MART] - Daily Diary #572 - Cisco Confirms Breach by Yanlowang Ransomware

ctas-mat at appgate.com ctas-mat at appgate.com
Thu Aug 11 21:59:41 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/11/2022 - Diary entry #572:

This week Cisco confirmed it was a victim of a breach in May this year. The confirmation comes after Yanlowang ransomware created a post on their wall of shame mentioning Cisco. So far no data is available for download, but the group claims to have stolen more than 3 thousand files with a total size of 2.8GB.

According to Cisco report, the initial breach was through a VPN appliance, after an employee's credential was compromised. The VPN appliance had MFA enabled, but the attackers used "MFA fatigue" - a technique consisting of flooding the user's authentication app with push notification in the hope they will accept the request by accident and enable access to the attackers - to gain initial foothold. After the initial access, the attacker started to move laterally in the network, enrolling new devices for MFA and getting privileged access.

Cisco claims the incident generated no impact to their products or customers, since the intrusion was detected and the threat actor's access was terminated. The attack is being attributed to Lapsus$ (covered more recently in our Daily Diary #477), along with Yanluowang ransomware (covered in our Daily Diary #402) - although no ransomware was deployed in the environment. Still according to Cisco, the only data accessed by the attackers was in a Box cloud storage directory for the compromised employee's account, which does not contain private or valuable data.
Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Manager, MART

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220811/d9fa304a/attachment.htm>

More information about the MART mailing list