7-Eleven Denmark confirms store closures as a result of a ransomware attack
August 10, 2022
UK NHS services still recovering after ransomware attack against British MSP
August 11, 2022

Cisco confirms attack by Yanluowang ransomware gang

On Wednesday 10th of August 2022, Cisco confirmed the Yanluowang ransomware group had breached its corporate network in late May and that the ransomware group tried to extort them under the threat of leaking stolen files online. Although Cisco confirmed that the incident had no impact on their business operations. This confirmation was released in a response to the Yanluowang ransomware group publishing a list of files from this incident to their dark web website earlier on Wednesday 10th of August 2022.

The threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser. Then the threat actors convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications for a VPN after sending multiple requests which resulted in MFA fatigue.

Once they gained a foothold on the company’s corporate network, the threat actors looked to spread laterally to Citrix servers and domain controllers within the Cisco network. And eventually gained domain admin where they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor. Ultimately, Cisco detected and evicted them from its environment, but they continued trying to regain access over the following weeks.

“The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.” – Cisco Talos Statement.

The Yanluowang ransomware group claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings. Although Cisco revealed the stolen data was non-sensitive data from a Box folder linked to a compromised employee’s account.

Leave a Reply

Your email address will not be published.