Hackers Breach Cisco and Steal Data, But Fail to Deploy Ransomware

pcmag.com:

Cisco has revealed(Opens in a new window) that it was hacked by a group affiliated with several well-known criminal groups, including Lapsus$, UNC2447, and the Yanluowang ransomware gang.

The company's threat intelligence group, Cisco Talos, says it "became aware of a potential compromise" on May 24. It responded to the potential breach alongside the Computer Security Incident Response Team (CSIRT) and confirmed the company had indeed been hacked.

"During the investigation," Talos says, "it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized."

Talos says the attackers then used voice-based phishing attempts—which the security industry has insisted on referring to as "vishing"—to "convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker" after that initial compromise.

Talos characterizes the hackers' activities, which includes gaining access to Cisco's virtual private network, escalating privileges on compromised systems, and establishing persistence via multiple remote desktop services, among other things, as "pre-ransomware activity."

The attackers were ultimately removed from Cisco's network before they could deploy any ransomware. They attempted to regain access to the compromised systems multiple times afterward, Talos says, but those efforts appear to have been unsuccessful.

But the hackers didn't leave empty-handed. Talos says they made off with "the contents of a Box folder that was associated with a compromised employee’s account" that "in this case was not sensitive." (They also took "employee authentication