Cisco Systems revealed details of a May hack by the Yanluowang ransomware group that leveraged a compromised employee’s Google account.
The networking giant is calling the attack a “potential compromise” in a Wednesday post by the company’s own Cisco Talos threat research arm.
“During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized,” wrote Cisco Talos in a lengthy breakdown of the attack.
Forensic details of the attack lead Cisco Talos researchers to attribute the attack to the Yanluowang threat group, which they maintain has ties to both the UNC2447 and the notorious Lapsus$ cybergangs.
Ultimately, Cisco Talos said the adversaries were not successful at deploying ransomware malware, however were successful at penetrating its network and planting a cadre of offensive hacking tools and conducting internal network reconnaissance “commonly observed leading up to the deployment of ransomware in victim environments.”
Outsmarting MFA for VPN Access
The crux of the hack was the attackers ability to compromise the targeted employee’s Cisco VPN utility and access the corporate network using that VPN software.
“Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account,” wrote Cisco Talos.
With credentials in their possession, attackers then used a multitude of techniques to bypass the multifactor authentication tied to the VPN client. Efforts included voice phishing and a type of attack called MFA fatigue. Cisco Talos describes the MFA fatigue attack technique as “the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.”
The MFA spoofing attacks leveraged against Cisco employee were ultimately successfully and allowed the attackers to run the VPN software as the targeted Cisco employee. “Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN,” researchers wrote.
“The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident,” they said.
Tools used by attackers included LogMeIn and TeamViewer and also offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz and Impacket.
While MFA is considered an essential security posture for organizations, it is far from hack-proof. Last month, Microsoft researchers uncovered a massive phishing campaign that can steal credentials even if a user has multi-factor authentication (MFA) enabled and has so far attempted to compromise more than 10,000 organizations.
Cisco Highlights its Incident Response
In response to the attack, Cisco implemented a company-wide password reset immediately, according to the Cisco Talos report.
“Our findings and subsequent security protections resulting from those customer engagements helped us slow and contain the attacker’s progression,” they wrote.
The company then created two Clam AntiVirus signatures (Win.Exploit.Kolobko-9950675-0 and Win.Backdoor.Kolobko-9950676-0) as a precaution to disinfect any possible additional compromised assets. Clam AntiVirus Signatures (or ClamAV) is a cross-platform antimalware toolkit able to detect a variety of malware and viruses.
“Threat actors commonly use social engineering techniques to compromise targets, and despite the frequency of such attacks, organizations continue to face challenges mitigating those threats. User education is paramount in thwarting such attacks, including making sure employees know the legitimate ways that support personnel will contact users so that employees can identify fraudulent attempts to obtain sensitive information,” Cisco Talos wrote.