A month after confirming its systems had been breached, networking giant Cisco said the attack was a failed ransomware attempt carried out on behalf of Lapsus$ group.
Cybercriminals gained access to Cisco systems using a social engineering attacksk it started with an attacker taking control of an employee’s personal Google account, where credentials stored in the victim’s browser are synced. Then, in a series of sophisticated voice phishing attacks, the gang convinced the victim to accept multi-factor authentication (MFA) push notifications, giving the crooks the ability to log into the corporate VPN as if they were the victim.
From there, attackers were able to compromise Cisco systems, elevate privileges, deny remote access tools, deploy Cobalt Strike and other offensive malware, and add their own backdoors to the system.
“Based on the artifacts obtained, the tactics, techniques and procedures (TTP) identified, the infrastructure used, and a thorough analysis of the backdoor used in this attack, we assess with moderate to high confidence that this attack was carried out by an adversary previously identified as a broker initial access interface (IAB) associated with both UNC2447 and Lapsus$,” the Cisco Talos team explained in September 11 update on the August holiday. “While we did not observe ransomware deployment in this attack, the TTPs used were consistent with ‘pre-ransomware activity,’ activity typically seen leading to the deployment of ransomware in the victim’s environment.”