Cisco Security Incident by Yanluowang ransomware group

Cisco Security Incident by Yanluowang ransomware group 

According to Cisco, bad actors published a list of files from this security incident on the dark web on August 10.

As part of our efforts to protect the wider security community, Cisco have also implemented additional measures to safeguard their systems.

Despite the discovery of the incident, Cisco said it had successfully blocked attempts to access its network.

According to the company, it has reached out to law enforcement as part of a range of responses to the attack.

A blog post published by Cisco Security Incident Response (CSIRT) and Cisco Talos provided additional details, stating that the Yanluowang gang compromised a Cisco employee's credentials “after an attacker gained control of the victim's personal Google account where credentials were synchronized from the victim’s browser.”

In an attempt to convince victims to accept multi-factor authentication (MFA) push notifications initiated by the attacker, the attacker conducted sophisticated voice phishing attacks under the guise of various trusted organizations.

Ultimately, the attacker was able to obtain a push acceptance of MFA, granting them access to the VPN.

A compromised employee's Box folder was the only data exfiltration that occurred during the attack, Cisco's security teams said.

'The adversary did not obtain sensitive information' in this case.

The Yanluowang group claimed responsibility for the attack, but Cisco believes it was actually launched by an initial access broker with ties to UNC2447 and the Lapsus$ threat actor group.

Full story on The Record Media