Ransomware, Breach

Employee’s compromised Google credentials led to Cisco breach

Share
The Cisco logo is seen at the company's booth
The Cisco logo is seen at the company's booth at the 2014 International CES at the Las Vegas Convention Center. (Photo by David Becker/Getty Images)

Cisco shared on its website Wednesday that it identified a security incident targeting its corporate IT infrastructure on May 24, saying it took immediate action to remediate the impact and has since hardened its IT environment. 

Also on Wednesday on its security blog on Cisco Talos, the company’s security team said an employee’s credentials were compromised after an attacker gained control of a Google account where credentials saved in the victim’s browser were synched. 

Using a series of sophisticated voice phishing attacks, the victim eventually accepted multi-factor authentication (MFA) push notifications made by the attacker, which granted access to the VPN of the victim. 

The security team posted that the attacker did not gain access to critical systems, but tried to give themselves the ability to maintain and increase their access to systems before being successfully removed. The attacker has been observed repeatedly trying to regain access in the weeks following the attack, but were unsuccessful.

In its assessment, the incident response team said they were fairly confident the attacker was an initial access broker with ties to the UNC2447, Lapsus$ and Yanluowang threat groups. Globant, Microsoft Azure, Nvidia and Okta are among victims of the Lapsus$ ransomware group, according to CyberRisk Alliance partner MSSPAlert.

Yanis Zinchenko, a security expert at Kaspersky, said Kaspersky analyzed Yanluowang’s malware in April and was able to create a file decryptor to help victims recover their information, adding that it is important for businesses to follow basic security principles to stay protected and minimize the potential financial and reputational losses associated with a ransomware attack.

Employee’s compromised Google credentials led to Cisco breach

In its assessment, the software giant's incident response team said they were fairly confident the attacker was an initial access broker with ties to the UNC2447, Lapsus$ and Yanluowang threat groups.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.