Cisco was hit by a cyberattack in late May. The attackers captured network data. The incident involved an initial access broker that maintains close relationships with several ransomware groups. One is Lapsus$, which previously caused data breaches at major tech companies.

Cisco recently announced it fell victim to a cyberattack that caused a data breach in late May. The admission came after the attackers announced some of the stolen data on the dark web.

The attack was carried out by cracking the personal Google account of a Cisco employee. The employee synchronized Cisco login data with his Google Chrome account. Cisco credentials were up for grabs after compromising the Google account.

Through social engineering and the disguise of a “trusted organization”, the attackers managed to accept a multifactor push authentication notification on the employee’s device. This allowed the attackers to access the Cisco network via the credentials of the employee in question. The attackers were then able to steal the data.

No sensitive data stolen

Cisco states the attackers did not gain access to critical systems, such as systems for product development and source code. The only stolen data was hosted in a Box folder associated with the employee’s account. According to Cisco, the data contained therein wasn’t sensitive.

The attackers did install various tools to facilitate data movement and exfiltration. The attacker also left behind several payloads that are currently being analyzed by Cisco.

Broker for Lapsus$

Further investigation reveals that the attacker functioned as an initial access broker (IAB) for known ransomware groups, including UNC2447, Yanluowang and Lapsus$. IABs typically try to gain privileged access to corporate networks and sell the access to attackers.

The IAB did not directly attempt a ransomware attack, but made preparations to encrypt files instead. This was unsuccessful, as the IAB was discovered and removed from the system. The attackers made several further attempts, but failed to breach the system twice. According to Cisco, all employee passwords were reset following the attack.

Tip: The rapid rise and (likely) fall of Lapsus$