Cisco refutes recent claims of a new ransomware attack, asserting that data leaked by the Kraken ransomware group originates from a previous breach.
The Kraken group published information allegedly obtained from Cisco’s internal network on its dark web leak site.
This data reportedly included sensitive credentials, such as privileged administrator accounts and NTLM hashed passwords, potentially enabling the forging of authentication tickets. The group threatened further attacks.
Cybersecurity expert Jamie Akhtar, CEO and co-founder of CyberSmart, highlighted the potential damage from this leaked data.
“Hypothetically, the data leaked could allow cyber criminals to do a number of potentially damaging things. For example, the domain controller credentials could allow hackers to escalate privileges within Cisco’s network, more across networks within its wider infrastructure, and access and steal sensitive data.”
However, Cisco maintains that the compromised credentials stem from a security incident in May 2022. “Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation there was no impact to our customers.”
The 2022 incident involved attackers gaining control of a personal Google account containing Cisco employee credentials through advanced voice phishing (vishing) attacks. They bypassed MFA and accessed a VPN, attempting to establish persistence and escalate privileges.
Cisco successfully removed the intruder, who made subsequent unsuccessful re-entry attempts. Cisco’s CSRIT and Talos teams found no evidence of access to critical internal systems, including the production environment or code signing architecture.
Cisco attributed the 2022 attack to an initial access broker (IAB) linked to UNC2447 (Mandiant), known for using FiveHands malware, and associated with Lapus$ and Yanluowang ransomware operations.
The Cisco breach incident, therefore, is not a new event but a reemergence of data from a previously resolved incident. This highlights the ongoing threat of data breaches and the importance of robust security measures.
The Kraken data breach narrative underscores the complexities of cybersecurity incidents and the challenges in definitively attributing responsibility. The Cisco breach highlights the persistent threat of data exfiltration even after an initial breach is remediated.
