“MFA Fatigue” Help Attackers Breach Cisco Corporate Network

Share post:

Cisco has confirmed a ransomware attack on its corporate network that happened in late May.

Behind the attack was the Yanluowang Ransomware gang. According to Cisco, the attackers were able to steal non-sensitive data from a box folder linked to the account of a compromised employee.

MFA fatigue was critical to helping the attacker break through Cisco’s network. MFA fatigue is also known as MFA prompt spamming. After gaining access to compromised login credentials, a hacker tricks a user by repeatedly sending push notifications to authorize the login.

Through MFA fatigue and a series of sophisticated voice phishing attacks that faked trusted support organizations, the attacker convinced the CISCO employee to accept multi-factor authentication (MFA) push notifications.

The employee was eventually tricked into accepting one of the MFA notifications. The attackers then gained access to the VPN in the context of the target user.

After gaining access to the corporate network, the Yanluowang operators spread laterally to Citrix servers and domain controllers.

The attackers used enumeration tools such as ntdsutil, adfind, and secretsdump to collect more information after accessing domain administrators, and then installed a number of payloads on compromised systems, including a backdoor.

Their activities were discovered by Cisco and eventually driven out of the environment.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Microsoft and OpenAI partner to build a $100 Billion AI supercomputer “Stargate”

In a bold stride towards computational supremacy, Microsoft, in partnership with OpenAI, is reported to be laying the...

The US government and Its Microsoft dependency: A cybersecurity dilemma

Microsoft's series of high-profile cybersecurity failures has once again spotlighted the complex relationship between the tech giant and...

Cyber Security Today, Week in Review for week ending Friday, April 12, 2024

This episode features a discussion on Microsoft's cybersecurity troubles, worries about open source, a warning about abusing IT help desks to launch attack

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways