Cisco Confirms Attack by Ransomware Gang: How Is the Supply Chain Affected?

Written by Ferhat Dikbiyik
Additional Contributors Ekrem Celik and Gizem Toprak
Edited by Haley Williams

Cisco disclosed a security breach on August 10, 2022, an attack executed by the Yanluowang ransomware gang. Cisco confirmed that the infamous threat actor breached its corporate network in late May and that the actor tried to extort them under the threat of leaking 2.8GB of stolen files online. While the company also stated that the attackers could only harvest and steal non-sensitive data, the threat actor published NDA files allegedly stolen from the company. Since Cisco products are widely used by many organizations worldwide, there are concerns about this breach’s impact on the global supply chain.

What Happened?

The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat actors compromised a Cisco employee’s credentials after they gained control of a personal Google account. Within that account, credentials had been saved in the victim’s browser and synchronized. Threat actors may have invested time and money to link a personal account to the victim’s company.

Threat actors used voice phishing (vishing) attacks to bypass the MFA protection to obtain access to the VPN with stolen credentials.

The Yanluowang ransomware group then attempted to extort the company. The gang published a list of files stolen from the company threatening to leak all stolen data if Cisco would not pay the ransom. While the group is famous for its triple extortion (data encryption, leaking data, and DDoS attacks), they only threatened the victim by leaking the data. Cisco’s security operations teams could have noticed the abnormal behavior before the group took any further action from their usual process.

Cisco Talos published the results of their investigation with TTPs of the attack and MITRE ATT&CK mapping.

Black Kite Research on Cisco

Cisco, a continuously monitored vendor in the Black Kite platform, has a grade of C-, an average grade common in large global organizations. Cisco products are widely used across the digital supply chain, suggesting a potential cascading risk effect on their partners/customers. While there is no evidence that the threat actors have sensitive information on Cisco clients, the leaked data might be used to execute phishing attacks or credential stuffing attacks against their clients.

Yanluowang and its companions are capable of performing different forms of persistent phishing attacks. Even minimal information about a client within the leaked data gives threat actors enough material to devise a deliberate phishing attack on Cisco’s clients, allowing them to find their way up the supply chain.

Vulnerable Software Identifier

Black Kite additionally launched automatic focus tags that label Cisco clients. Black Kite users can use these tags to filter their vendors easily and see what Cisco products their vendors use.

Remediation and recommendations to protect your supply chain

• List all the vendors that have access to your organization’s systems or store sensitive data that belongs to your organization
• Filter the vendors that use Cisco products
• Alert them with detailed information about the Cisco data breach
• Advise them to check the TTPs and IoCs of the threat actor
• Advise them to increase employee awareness of possible phishing attacks
• Continuously monitor your vendors’ cyber security posture and cyber hygiene against ransomware operations and all other threats