Ex-Cisco Employee Convicted for Deleting 16K Webex Accounts

cisco webex accounts deleted

The insider threat will go to jail for two years after compromising Cisco’s cloud infrastructure.

A man has been sentenced to two years in jail after being convicted of hacking Cisco’s Webex collaboration platform in an insider-threat case brought to the U.S. District Court in California.

Sudhish Kasaba Ramesh, 31, admitted that he broke into Cisco’s cloud infrastructure in 2018, hosted on Amazon Web Services, about four months after he resigned from the company. From there, he said in his plea agreement that he deployed a code from his Google Cloud Project account, which automatically deleted 456 virtual machines that host the WebEx Teams application.

As a result, 16,000 WebEx Teams accounts were shut down for up to two weeks; and, the incident cost Cisco about $1.4 million in remediation costs, including refunding $1 million to affected customers, according to a court announcement.

Threatpost Webinar Promo Bug Bounty

Click to register.

The defendant was further sentenced to serve a one-year period of supervised release following the 24 months in prison. And, in addition to jail time, the court ordered Ramesh to pay a $15,000 fine for intentionally accessing a protected computer without authorization and recklessly causing damage to Cisco.

He will begin serving the sentence on February 10, 2021.

It’s unclear why Ramesh mounted the attack or how he was able to access Cisco’s infrastructure after he was no longer working for the company.

Insider threats – be they disgruntled former employees, rogue employees or clueless workers who accidentally create risk – are an ongoing top danger for companies. Often, employees are groomed by outsiders. According to A 2019 study from OpenText, between 25 to 30 percent of data breaches involved an external actor working with an internal person in an organization.

“We used to focus on external threat actors, but now, when compromising the network, many have someone on the inside, whether it’s because they bribed them or blackmailed them,” Paul Shomo, senior security architect with OpenText, said at the time.

The insider-threat issue has been exacerbated by the transition to remote work. In the past, insider threats from employees and others given access to the network were more easily monitored because they were inside the network perimeter, and so malicious activity could be more easily detected.

“Even while employees continue to work from home, they still require access to corporate assets to do their jobs well,” said Justin Jett, director of compliance and audit at Plixer, in a recent Threatpost column. “Without access, some employees can’t perform their duties at all. Organizations must define long-term policies for how employees access company-owned assets, especially if they intend to allow employees to work from home indefinitely. Such policies should include restricting access by role, as well as other security measures like requiring employees to be connected to the corporate VPN.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.


Suggested articles