Cisco confirmed that attackers gained access to an employee’s VPN client via a compromised Google account, which was synchronizing credentials saved in the victim’s browser.
“Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee’s personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account,” wrote Cisco Talos.
The attacker conducted a series of sophisticated voice phishing attacks (vishing) disguised as trusted organizations, in order to convince the victim to accept multi-factor authentication (MFA) push notifications. Once the MFA push was accepted, the attacker gained access to the Cisco VPN.
What’s surprising about this case is how the cybercriminal bypassed the multifactor authentication tied to the VPN client. In addition to vishing, efforts included a type of attack called MFA fatigue, described by Cisco Talos as “the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.”
Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. A variety of activities allowed them to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
However, the Cisco Talos research team stated they have not identified any evidence suggesting that the bad actor gained access to critical internal systems, such as those related to product development, code signing, etc.
“We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators.”, continued the official statement.
IABs typically attempt to obtain privileged access to corporate networks and monetize it by selling it to other threat actors, who can, in turn, leverage it for a variety of purposes. “While we did not observe ransomware deployment in this attack, the tactics, techniques, and procedures (TTPs) used were consistent with ‘pre-ransomware activity,’ commonly observed leading up to the deployment of ransomware in victim environments.”, added the Cisco Talos team.
How to prevent and respond to attacks
While MFA is considered an essential security measure for organizations, it wasn’t enough in this case. Considering the cybercriminal used social engineering and phishing attacks to trick the employee into accepting the MFA notification, cybersecurity awareness proves to be another critical initiative to prevent intrusions.
In response to the attack, Cisco implemented a company-wide password reset immediately, according to the Cisco Talos report.
When it comes to credentials, we’ve found that 76% of users change their passwords only when they have to, and 63% craft them with the bare minimum security requirements. This can be alarming considering exposed credentials are an easy gateway for cybercriminals into the corporate network, and can lead to more serious threats like ransomware.
Watch the webinar: Stolen credentials, a conduit for ransomware into your network
Despite the frequency of social engineering attacks, organizations continue to face challenges mitigating those threats. User training is paramount, including password hygiene, cybersecurity basics, and making sure employees know the legitimate ways that support staff will contact them, in order to avoid giving away sensitive information.
Get the ebook: How to protect your network from exposed credentials
In addition, Cisco Talos shares the following best practices:
- Prior to allowing VPN connections from remote endpoints, ensure that posture checking is configured to enforce a baseline set of security controls. This ensures that the connecting devices match the security requirements of the environment. This can also prevent rogue devices that have not been previously approved from connecting to the corporate network.
- Implement network segmentation, which provides enhanced protection for high-value assets and also enables more effective detection and response capabilities in situations where an adversary is able to gain initial access into the environment.
- Centralize log collection to minimize the lack of visibility that results when an attacker takes active steps to remove logs from systems. Ensuring that the log data generated by endpoints is centrally collected and analyzed for anomalous or overtly malicious behavior can provide early indication when an attack is underway.
- Ensure backups are offline and periodically tested to help mitigate the risk when threat actors target the backup infrastructure, and put in place a recovery plan.
- Audit command line execution on endpoints to provide increased visibility into actions being performed on systems in the environment, and detect suspicious execution of built-in Windows utilities, which is commonly observed during intrusions where threat actors rely on benign applications or utilities already present in the environment for enumeration, privilege escalation, and lateral movement activities.
