Cisco dispels Kraken data breach claims, insists stolen data came from old attack
Cisco has pushed back on claims it has been breached in a new ransomware attack after a threat actor exposed sensitive information allegedly stolen from the firm’s internal network.
The Kraken ransomware group posted the information, which according to reporting by Cyber Press contained credentials linked to Cisco’s Windows Active Directory environment, to its dark web leak site.
This data was said to include privileged administrator accounts, NTLM hashed passwords, as well as the domain’s Kerberos Ticket Granting account that could have been leveraged to forge authentication tickets.
The post was accompanied with a threat of potential future attacks on the network and security giant and a suggestion that Cisco had been attempting to remove the group from the network unsuccessfully.
Jamie Akhtar, CEO and co-founder of CyberSmart, outlined the potential damage cyber criminals could inflict leveraging the sensitive information the Kraken group claimed to have taken.
“Hypothetically, the data leaked could allow cyber criminals to do a number of potentially damaging things. For example, the domain controller credentials could allow hackers to escalate privileges within Cisco’s network, more across networks within its wider infrastructure, and access and steal sensitive data.”
But Cisco has issued a statement claiming the ‘exposed’ credentials were taken from a historic data breach which occurred around two and a half years ago.
“Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation there was no impact to our customers.”
Cisco breach incident dates back to 2022
During the incident in question, attackers took control of a personal Google account that had Cisco employee credentials, according to a Cisco report on the attack published in August 2022.
After conducting a series of advanced voice phishing (vishing) attacks to bypass MFA protections, the attacker was able to gain access to the target user’s VPN.
Once they gained initial access, the attacker looked to establish persistence on the network while evading detections and escalate their privileges.
Cisco said it was able to successfully remove the intruder, who made a series of unsuccessful attempts at regaining access in the following weeks.
It added that its CSRIT and Talos teams did not identify any evidence to suggest the attacker was able to access ‘critical internal systems’ such as its production environment or code signing architecture, for example.
At the time, Cisco declared it believed the culprit to be an initial access broker (IAB) linked to the group tracked by Mandiant as UNC2447, known for its use of the FiveHands malware, as well as the Lapus$ threat collective and the Yanluowang ransomware operation.
MORE FROM ITPRO
Source link
