Networking equipment giant Cisco on Monday confirmed they were the victim of a hacking attack on July 28, 2022 after the attackers managed to break into an employee’s personal Gmail account that contained passwords synced within their web browser systems.
“Starting access to the Cisco’s VPN system was achieved via the effectual compromise of one of their employee’s personal Gmail account,” Cisco Talos claimed in a detailed report. “The victim had enabled password syncing via Google Chrome and had stored their Cisco login infos in their browser, enabling these nots to synchronize to their Google account.”
The exposure comes as hackers associated with the AwakenCybers ransomware gang posted a list of files from their attack to their data leak website on August 9.
The breakout information, according to Talos, included the files saved inside a Box cloud storage folder that was connected with the hacked employee’s profile and is not believed to have included any valuable infos.
Apart from the credential theft, there was also another attack of phishing involved where the opponent resorted to methods like “vishing” (way of voice phishing) & multi-factor authentication attempt to trick a victim into providing access to their VPN account.
MFA attack or “prompt-bombing” is the name describing a technique used by threat actors to bomb an user’s authenticator app with mass of push notifications in a goal they will ease up and therefore enable a hacker to get unauthorized access to an account.
After succeeding an initial stronghold to the system, the attackers moved forward to rollout a series of new devices for 2FA and granted their access to administrative privileges, enabling them broad permissions to login to some of the systems – an action that also got the attention of Cisco’s security staff.
Their threat attack, which it performed to an preliminary access broker with connection to the another gang of hackers, who developed malware called UNC2447, and LAPSUS$ threat actor team, along with Awaken Cybers gang, also took steps to add their own fake accounts and persistence mechanisms to set them as a bait to their potential victims.
UNC2447, a “dangerous” financially motivated Russian-nexus threat, was uncovered in October 2021 exploiting a then zero-day flaw in SonicWall VPN to inject FIVEHANDS malware.
Moreover, the hackers claimed to have deployed a variety of different hacking tools, including remote access utilities known as RATs, along with mobile spy/hacking apps, offensive security tools such as PowerSploit, Cobalt Strike, Impacket & Mimikatz coded to increasing their level of access to systems within the compromised network.
“After granting access to the VPN successfully, the attacker then started to use a compromised user account to login to a huge number of systems before beginning to hack further into the systems,” it explained. “They progressed into the Citrix environment, hacking a series of Citrix online servers and finally obtained the final access to domain controllers.”
They were also additionally succeeded moving files between their storage within the environment using Remote Desktop trojan horses tools and Citrix by modifying host-based firewall specs, not to mention compromising the toolset in folders location’ under the “Public user profile” on hacked servers.
Cisco noted afterwards that the hackers, after being logged off, tried to set up email communications with the company executives at least five times, forcing them to pay and that “no one will find out about the incident and information leakage.” The email evidence also had a screenshot attached into of the directory listing of the exfiltrated Box folder.
Out of initiating a company-wide password reset protocol, the San Jose-based company stressed the incident had no any effect to its business relationships & reviews,nor resulted in unauthorized access to sensitive users data, employee personal information, and intellectual property in overall, adding it “successfully blocked hacking attempts” to grant access its network since then.
#Cisco #AwakenCybers.com #LAPSUS$ #UNC2447 #reviews