Cisco has confirmed through its Talos Intelligence Group that the data leaked on September 11, 2022 by the Yanluowang ransomware gang was stolen from the company network during the previously disclosed cyberattack in May, 2022.
Despite the additional data leak, Cisco maintains that the cyberattack has had no material impact on its business.
“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed.”
The statement continues:
“Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”
Cisco states that it implemented a “company-wide password reset immediately upon learning of the incident. Our findings and subsequent security protections resulting from those customer engagements helped us slow and contain the attacker’s progression.”
Cisco also created two ClamAV signatures:
- Win.Exploit.Kolobko-9950675-0
- Win.Backdoor.Kolobko-9950676-0
Despite network segmentation, multi-factor authentication, and baseline security controls to permit VPN connections, Cisco states that user education is paramount in order to prevent social engineering attacks.
The attack was able to be launched since the attackers performed a two-factor authentication “push notification fatigue” attack which essentially spams the user’s smartphone with repeated Duo MFA approval requests. The hackers bank on the fact that the user will just randomly approve a MFA request on the Duo app, to get the requests or notifications to stop.
“Equally important to implementing MFA is ensuring that employees are educated on what to do and how to respond if they get errant push requests on their respective phones. It is also essential to educate employees about who to contact if such incidents do arise to help determine if the event was a technical issue or malicious.”
Despite millions that are undoubtedly spent to secure any network infrastructure, social engineering remains a potent threat.
