Cisco confirmed that attackers gained access to an employee’s VPN client via a compromised Google account, which was synchronizing credentials saved in the victim’s browser.
“Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account,” wrote Cisco Talos.
The attacker conducted a series of sophisticated voice phishing attacks (vishing) disguised as trusted organizations, in order to convince the victim to accept multi-factor authentication (MFA) push notifications. Once the MFA push was accepted, the attacker gained access to the Cisco VPN.
What’s surprising about this case is how the cybercriminal bypassed the multifactor authentication tied to the VPN client. In addition to vishing, efforts included a type of attack called MFA fatigue, described by Cisco Talos as “the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.”
Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. A variety of activities allowed them to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
However, the Cisco Talos research team stated they have not identified any evidence suggesting that the bad actor gained access to critical internal systems, such as those related to product development, code signing, etc.
“We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”, continued the official statement.
IABs typically attempt to obtain privileged access to corporate networks and monetize it by selling it to other threat actors, who can, in turn, leverage it for a variety of purposes. “While we did not observe ransomware deployment in this attack, the tactics, techniques, and procedures (TTPs) used were consistent with ‘pre-ransomware activity,’ commonly observed leading up to the deployment of ransomware in victim environments.”, added the Cisco Talos team.
While MFA is considered an essential security measure for organizations, it wasn’t enough in this case. Considering the cybercriminal used social engineering and phishing attacks to trick the employee into accepting the MFA notification, cybersecurity awareness proves to be another critical initiative to prevent intrusions.
In response to the attack, Cisco implemented a company-wide password reset immediately, according to the Cisco Talos report.
When it comes to credentials, we’ve found that 76% of users change their passwords only when they have to, and 63% craft them with the bare minimum security requirements. This can be alarming considering exposed credentials are an easy gateway for cybercriminals into the corporate network, and can lead to more serious threats like ransomware.
Watch the webinar: Stolen credentials, a conduit for ransomware into your network
Despite the frequency of social engineering attacks, organizations continue to face challenges mitigating those threats. User training is paramount, including password hygiene, cybersecurity basics, and making sure employees know the legitimate ways that support staff will contact them, in order to avoid giving away sensitive information.
Get the ebook: How to protect your network from exposed credentials
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|