Cisco confirmed today that the Yanluowang ransomware group infiltrated its corporate network in late May and that the actor attempted to blackmail them, threatening to leak stolen files online.
Yanluowang is a ransomware operation that came to prominence in 2021 after a series of targeted ransomware attacks on companies in the financial sector, as well as in IT services, consultancy, and engineering, Symantec has said.
The threat actors gained access to Cisco’s network using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser.
“On August 10, the attackers published a list of files from this security incident on the dark web. We have also implemented additional measures to protect our systems and are sharing technical details to help protect the broader security community.”
The attacker convinced the Cisco employee to accept multi-factor authentication push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations.
How it happened
The attackers eventually tricked the victim into accepting one of the MFA notifications and gained access to the VPN in the context of the targeted user.
After gaining a foothold in the corporate network, Yanluowang operators laterally spread to Citrix servers and domain controllers.
“Once the attacker gained initial access, they performed a variety of activities to maintain access, minimize forensic artifacts, and increase their access to systems within the environment,” added Cisco Talos.
Hackers claim to steal data from Cisco
The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings.
Ultimately, Cisco detected and evicted them from its environment, but they continued trying to regain access over the following weeks.