Hot Topics
Analytics & Intelligence Application Security Cloud Security Cybersecurity Data Security DevOps Endpoint Featured Identity & Access Incident Response Malware Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Cisco Pwned by ‘Russian’ Gang — Data Leaked, Egg on Face

by Richi Jennings on August 12, 2022

Cisco got hacked by a ransomware gang—a broker for the UNC2447 threat actor, linked to the Yanluowang crew (pictured). This was way back at the end of May, but Cisco’s only now talking about it.

UNC2447 has “a nexus to Russia,” says Cisco. But the networking monolith made it easy for the scrotes, by failing to install a month-old Windows update and using broken multi-factor authentication (MFA).

What a mess. In today’s SB Blogwatch, we try to learn from Cisco’s mistakes.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: They don’t make sci-fi like they used to.

MFA FAIL

What’s the craic? Sergiu Gatlan reports—“Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen”:

Patched in April
The Yanluowang threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser. The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications.

The threat actors … gained access to the VPN in the context of the targeted user. Once they gained a foothold on the company’s corporate network, [they] spread laterally to Citrix servers and domain controllers. … After gaining domain admin, they used enumeration tools … to collect more information and installed a series of payloads onto compromised systems, including a backdoor malware. [They] claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files.

Cisco [did] not mention any info on the exploit executable that was discovered. However, according to … VirusTotal, the exploit is for CVE-2022-24521, a Windows Common Log File System Driver Elevation of Privilege vulnerability … patched in April 2022.

Yanluwhatnow? Duncan Riley drives the point home—“Cisco breached by Yanluowang ransomware gang”:

Yanluowang first appeared in October [2021], according to a report that month from the Symantec Threat Hunter Team. … Trend Micro [said] Yanluowang, which is named after the Chinese deity Yan Luo Wang, in December [used] files that are code-signed using a valid digital signature.

Horse’s mouth? Cisco’s Nick Biasini offers “insights related to recent cyber attack”:

A nexus to Russia
On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response … and Cisco Talos have been working to remediate. … The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.

Throughout the attack, we observed attempts to exfiltrate information. … We confirmed that the only successful data exfiltration [was] the contents of a Box folder [from the] compromised employee’s account and employee authentication data from active directory.

We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. … UNC2447 is a financially-motivated threat actor with a nexus to Russia.

Yes, but how did they get MFA access? Andrew Brooks describes “MFA Fatigue”:

The employee was eventually tricked
MFA fatigue was critical to helping the attacker break through Cisco’s network. MFA fatigue is also known as MFA prompt spamming. After gaining access to compromised login credentials, a hacker tricks a user by repeatedly sending push notifications to authorize the login.

Through MFA fatigue and a series of … voice phishing attacks that faked trusted support organizations, the attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications. The employee was eventually tricked into accepting one of the MFA notifications.

MFA push notifications? That’s a stupid idea, argues Zocalo:

But in my experience that’s pretty much how most of those MFA-app based setups are configured to work: … You inititate a login somewhere and enter your credentials (“what you know”), then you get a pushed challenge on your paired phone or whatever to approve it (“what you have”).

The more secure way is to just prompt for the random token in the relevant section of the app, usually a six-digit number as part of the login process. That requires you sign into the app, open the relevant token, look up the code, and then enter it.

[It] takes a bit longer but is clearly a process that you have initiated, and not some random “you need to reauthenticate” reminder that the bad actors here appear to have spammed their victim with.

As does packet_nerd:

This is why we need webauthn everywhere! Push notifications and friends are all susceptible to this kind of attack, webauthn is not.

If only Cisco had acquired a security company or three. Oh, wait. This Anonymous Coward can’t wait to snark it up:

Cisco should definitely demand that their hardware vendor fix their broken and obviously insufficient device security. Oh, wait.

You’d think that Cisco, being Cisco, would be running all the newest high-end IDS/IPS wiz-bang stuff and would have seen this coming from a mile away and dealt with it before it got anywhere or could send any data out. I mean, hell, if Cisco can’t even keep control of the networks that they themselves design and build, what hope do any of the rest of us mere mortals have?

Someone should get off the fence. Leave it to our old friend, gweihir:

Cisco is simply incompetent with regards to IT security. Their products have made that clear for at least a decade. It is absolutely no surprise that their corporate systems are no better.

Meanwhile, is that entirely fair? Let’s sip us a sanmigueelbeer:

Most other companies have a (small) team but Cisco, however, has a large army of security specialists, plus other subsidiaries, like TALOS.

And the intruders were not prepared. They got in and moved laterally, exfiltrated a few GB worth of data. They did not lock up any files nor destroy any. Yup, the intruders were ill-prepared.

And Finally:

How the MCU will sound in the future

Hat tip: nospoon

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Amcaja (cc:by-sa; leveled and cropped)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 604 posts and counting.See all posts by richi