The Cisco data breach has exposed sensitive credentials from the tech giant’s internal network. A report from Cyber Press Research reveals that the Kraken ransomware group allegedly leaked a dataset on their dark web blog. This dataset contains hashed passwords from a Windows Active Directory environment, including domain user accounts, Relative Identifiers (RIDs), and NTLM password hashes.
Compromised Data and Potential Impact
Security researchers suspect the data was extracted using tools like Mimikatz, pwdump, or hashdump. The compromised data includes usernames, security identifiers, and encrypted password hashes linked to Cisco’s corporate infrastructure. This includes:
- Privileged administrator accounts (e.g., Administrator:500)
- Regular user accounts (e.g., cisco.com\carriep)
- Service and machine accounts associated with domain controllers (e.g., ADC-SYD-P-1$, ADC-RTP-P-2$)
- The Kerberos Ticket Granting Ticket (krbtgt) account
- Each entry in the leaked dataset follows a structured format: Username and Domain, RID, LM Hash (often disabled, appearing as aad3b435b51404eeaad3b435b51404ee when inactive), and NTLM Hash.
The presence of NTLM hashes is particularly concerning, as these can be cracked using brute force or dictionary attacks, potentially granting attackers unauthorized access to Cisco’s systems. The compromise of privileged accounts allows attackers to:
- Escalate privileges
- Access critical network resources
- Deploy ransomware or other malicious payloads
The inclusion of domain controller (DC) accounts suggests deep network access, enabling lateral movement and further attacks like Kerberoasting or Pass-the-Hash. Attackers could also establish persistent access via Golden Ticket or Silver Ticket attacks, leading to sensitive data exfiltration.
Threat Actor and Recommended Countermeasures
The leaked dataset includes a threatening message from the attackers, suggesting a prolonged presence within Cisco’s network and a potential intent to return. This points to a sophisticated cybercrime group or even a nation-state actor.
While Cisco hasn’t officially confirmed the breach, security professionals recommend immediate countermeasures:
- Forced password resets for affected users and service accounts
- Disabling NTLM authentication where possible
- Deploying multi-factor authentication (MFA)
- Investigating access logs for unauthorized activity and privilege escalation attempts
- Enhancing monitoring to detect further attempts at unauthorized access
- This Cisco Data Breach highlights the increasing threat of credential-based cyberattacks and the urgent need for robust security defenses. The use of tools like Mimikatz in this ransomware group attack underscores the sophistication of modern cyber threats. Rapid incident response is crucial to prevent further damage and protect sensitive information.
