Cisco admits data posted by ransomware gang came from its systems

Share post:

Cisco Systems has admitted that data posted on Sunday by the Yanluowang ransomware gang was stolen from the networking giant in a cyberattack earlier this year.

In an updated blog post yesterday, Cisco’s Talos threat intelligence team said that the contents of files posted by the gang on its data leak site matched data from the list of file names Yanluowang had earlier published claiming to be from the company.

Nevertheless, Cisco maintains no sensitive customer, employee, or corporate data was copied.

“Our previous analysis of this incident remains unchanged,” the blog says. “We continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

Cisco acknowledged in August that on May 24th it realized there had been a “potential compromise.” A company employee’s credentials had been compromised after an attacker gained control of their personal Google account where credentials saved in the victim’s browser were being synchronized. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account.

The attacker then ran a series of sophisticated voice phishing attacks under the guise of various trusted organizations, attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker, Cisco said. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted the Cisco Security Incident Response Team (CSIRT).

The threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment before being ejected from the system. That activity included the use of remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and the addition of the gang’s own backdoor accounts and persistence mechanisms

The Bleeping Computer news service said Yanluowang’s leader told it thousands of Cisco files including classified documents, technical schematics, and source code were stolen. When the news site asked for comment, Cisco denied the possibility that the intruders had exfiltrated or accessed any source code.

The post Cisco admits data posted by ransomware gang came from its systems first appeared on IT World Canada.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways