Cisco Systems Faced Cyberattack From Hacked Employee's Google Account

(RTTNews) - Cisco Systems revealed on Wednesday details of a May hack by the Yanluowang ransomware group, which leveraged a compromised employee's Google account. The networking giant is calling the attack a "potential compromise" in a post by the company's own Cisco Talos threat research arm.

"During the investigation, it was determined that a Cisco employee's credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim's browser were being synchronized," wrote Cisco Talos while giving details of the attack.

Forensic details of the attack lead Cisco Talos researchers to attribute the attack to the Yanluowang threat group, which they maintain has ties to both the UNC2447 and the notorious Lapsus$ cybergangs.

Cisco Talos said that while the adversaries were not successful at deploying ransomware malware, they were successful at penetrating its network and planting a cadre of offensive hacking tools and conducting internal network reconnaissance "commonly observed leading up to the deployment of ransomware in victim environments."

The main point of the hack was the attackers ability to compromise the targeted employee's Cisco VPN utility and access the corporate network using that VPN software.

"Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee's personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account," wrote Cisco Talos.

With credentials in their possession, attackers then used a multitude of techniques to bypass the multifactor authentication tied to the VPN client. Efforts included voice phishing and a type of attack called MFA fatigue. Cisco Talos describes the MFA fatigue attack technique as "the process of sending a high volume of push requests to the target's mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving."

The MFA spoofing attacks leveraged against Cisco employee were ultimately successfully and allowed the attackers to run the VPN software as the targeted Cisco employee. "Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN," researchers wrote.

"The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident," they said.

In response to the attack, Cisco implemented a company-wide password reset immediately, according to the Cisco Talos report. "Our findings and subsequent security protections resulting from those customer engagements helped us slow and contain the attacker's progression," they wrote.