Friday, November 22, 2024

Trending Topics

HomeTechnologyCisco Hacked: Ransomware Gang Claims It Has 2.8GB Of Data

Cisco Hacked: Ransomware Gang Claims It Has 2.8GB Of Data

spot_img

Cybersecurity Editors’ Pick Cisco Hacked: Ransomware Gang Claims It Has 2. 8GB Of Data Davey Winder Senior Contributor Opinions expressed by Forbes Contributors are their own. Co-founder, Straight Talking Cyber New! Follow this author to stay notified about their latest stories.

Got it! Aug 13, 2022, 05:13am EDT | New! Click on the conversation bubble to join the conversation Got it! Share to Facebook Share to Twitter Share to Linkedin August 13 Update below. This post was originally published on August 11 Networking giant Cisco confirms hacking as ransomware group publishes a partial list of files it claims to have exfiltrated. On the same day that the Yanluowang ransomware group published a partial list of files it says were stolen from Cisco, the networking giant’s Talos Intelligence Group confirmed that Cisco had, indeed, been hacked.

MORE FROM FORBES New Gmail Attack Bypasses Passwords And 2FA To Read All Email By Davey Winder The confirmation, that came by way of a Talos blog posting , stated Cisco was first made aware of a potential compromise on May 24. The potential compromise became a confirmed network breach following further investigation by the Cisco Security Incident Response (CSIRT) team. The Cisco Talos team disclosed the attack in technical detail Cisco Talos MORE FOR YOU iOS 15: Apple Issues 22 Important iPhone Security Updates Widely-Used Hikvision Security Cameras Vulnerable To Remote Hijacking iOS 15 Is Available Now With These Stunning New iPhone Privacy Features Who is behind the Cisco hack? Cisco said that the initial access vector was through the successful phishing of an employee’s personal Google account, which ultimately led to the compromise of their credentials and access to the Cisco VPN.

The threat actor, confirmed as an initial access broker with ties to a Russian group called UNC2447 as well as the Yanluowang ransomware gang was ejected from the network and prevented from re-entry despite many attempts over the following weeks. The tactics, techniques, and procedures (TTPs) also showed some overlap with the Lapsus$ group, many of whom were arrested earlier in the year. August 12 Update: The threat intelligence analyst’s perspective “Whether this incident was overstated by Yanluowang depends on perspective.

From analyzing the directory leaked and Cisco’s statement, it seems that the data exfiltrated – both in size and content – is not of great importance or sensitivity,” Louise Ferrett, a threat intelligence analyst at Searchlight Security , told me. “However, as was the case with a number of attacks by actors such as LAPSUS$,” Ferrett continues, “sometimes the act of compromising a corporate network itself can be enough for threat actors to gain mainstream publicity and underground ‘cred’, which can lead to further resources and collaboration in the future that could be more materially damaging. ” As Cisco confirmed in the initial reporting of this incident, the TTPs pointed to links between the UNC2447 initial access broker and its known associate, the Lapsus$ group.

MORE FROM FORBES Gmail Hackers Target Google Accounts-Here’s How To Stop Them By Davey Winder “It’s not uncommon for IABs to act as contractors for different threat actors, with many auctioning their access to corporate networks on popular dark web hacking forums,” Ferrett says. What’s more, she concludes, “this attack can certainly be viewed as part of a broader trend of ransomware threat actors diversifying away from pure encrypt-and-extort, with Yanluowang previously claiming to have breached Walmart despite the company stating there was no ransomware deployed on its systems. ” Threat intelligence specialist KELA has, just this week, confirmed that “in Q2 2022, several notorious ransomware and data leak actors were spotted being active again : REvil (Sodinokibi), Stormous, and Lapsus$” While another threat intelligence company, Cyjax , describes Yanluowang operations as being “highly targeted attacks, aggressively seeking to maximize profits via extortion attempts.

These include, but are not limited to, leaking DDoS attacks and stolen data. ” August 13 Update: Yanluowang: the 10 Kings of Hell I have been doing some more digging to get further background on the Yanluowang ransomware group which I thought I’d share here. The group, apparently chose the name by referencing Yanluo Wang, a Chinese deity who was said to be one of the Kings of Hell.

It is not as easy as most people think to get a definitive national attribution for most threat actors, including ransomware groups, and a reference to something Chinese does not automatically mean Yanluowang has any particular affiliation to China. Indeed, while there may well be a Chinese connection as far as whoever coded the ransomware software itself is concerned, that doesn’t mean the group has any motive other than criminal financial gain. Cisco, however, has painted a picture of UNC2447, the initial access broker it thinks was responsible for the actual breach itself, which reveals “a nexus to Russia” apparently.

Just to throw more spanners in any nation-state-sponsored attack ideas, Lapsus$, also mentioned as having an affiliation with both UNC2447 and Yanluowang, is thought to be based out of Brazil. That’s what we know we don’t know, then. What is known, with at least some degree of certainty, is that Yanluowang likely emerged in August 2021 from existing ransomware-as-a-service criminal operations known as Fivehands and Thieflock.

When the Threat Hunter Team at Symantec identified Yanluowang as attacking U. S. organizations in 2021 , it drew a lot of distinct similarities between it and Thieflock in terms of the tools, tactics, and procedures used.

It is thought an ex-member, or members, of Thieflock could be behind Yanluowang. Kaspersky has developed a free Yanluowang ransomware decryptor tool We also know that the group has been pretty busy over the last year. “Although the malware has only been around for a short period, Yanluowang has managed to target companies from all around the world,” Yanis Zinchenko, a security expert at Kaspersky, said.

Kaspersky offers a free Yanluowang decryptor tool Kaspersky Kaspersky has taken quite an interest in the group, and in the ransomware malware code specifically. In April, it uncovered a vulnerability within the RSA-1024 algorithm employed by the Yanluowang software and was able to use this to crack the encryption used. As such, as long as a victim has one or two unencrypted files, the free Kaspersky Rannoh ransomware decryption tool should work.

No ransomware deployed, Cisco says Importantly, Cisco says that there was no ransomware deployment during the attack that it could find. CSIRT has stated “Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations. On August 10 the bad actors published a list of files from this security incident to the dark web.

” A company-wide password reset was initiated after the breach and is to be praised for the clear and detailed disclosures it has made regarding the technicalities of the hack. MORE FROM FORBES Microsoft Confirms High-Impact Windows 10, 11 & Server Attacks-Update Now By Davey Winder Follow me on Twitter or LinkedIn . Check out my website or some of my other work here .

Davey Winder Editorial Standards Print Reprints & Permissions.


From: forbes
URL: https://www.forbes.com/sites/daveywinder/2022/08/13/cisco-hacked-ransomware-gang-claims-it-has-28gb-of-data/

DTN
DTN
Dubai Tech News is the leading source of information for people working in the technology industry. We provide daily news coverage, keeping you abreast of the latest trends and developments in this exciting and rapidly growing sector.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

Must Read

Related News