Louise Ferrett, Threat Intelligence Analyst at Searchlight Security has provided the following context around the Yanluowang ransomware gang’s cyberattack of Cisco:
On the sensitivity of the stolen data:
“Whether this incident was overstated by Yanluowang depends on perspective. From analyzing the directory leaked and Cisco’s statement, it seems that the data exfiltrated - both in size and content - is not of great importance or sensitivity.
“However, as was the case with a number of attacks by actors such as LAPSUS$, sometimes the act of compromising a corporate network itself can be enough for threat actors to gain mainstream publicity and underground ‘cred’, which can lead to further resources and collaboration in the future that could be more materially damaging.
“This attack can certainly be viewed as part of a broader trend of ransomware threat actors diversifying away from pure encrypt-and-extort, with Yanluowang previously claiming to have breached Walmart despite the company stating there was no ransomware deployed on its systems.”
On Yanluowang’s connection to LAPSUS$: “The Tactics, Techniques and Procedures (TTPs) identified by Cisco led them to draw a link between an initial access broker (IAB) associated with LAPSUS$ and this attack by Yanluowang.
“It’s not uncommon for IABs to act as contractors for different threat actors, with many auctioning their access to corporate networks on popular dark web hacking forums. Monitoring these forums can provide advance warning that an attack is likely to occur against a company of a particular size and in a particular sector and geographical location.”
One how the attack was executed:
“The initial access vector in this case was an employee’s personal Google account, with password syncing enabled and their Cisco credentials stored in the Google Chrome browser, which allowed them to be accessed via the personal Google account.
“It’s currently not known how the personal account was compromised, though methods could range from obtaining leaked credentials in a database dump (which would still require further reconnaissance to ascertain the victim’s professional position) to buying logs from stealer malware inadvertently downloaded by the victim.
“This incident could support the case for broadening the criteria for credentials monitoring, as well as highlighting the importance of cyber hygiene and disabling syncing and store-in-browser features for privileged credentials.”
On emerging techniques for bypassing MFA
“Cisco’s statement mentions that the threat actor was able to bypass multi-factor-authentication (MFA) with a combination of voice-phishing - a form of social engineering - and MFA fatigue - arguably a form of brute forcing. These are both techniques that we have observed being discussed in dark web forums recently, especially as MFA solutions become more widely implemented as a way to prevent account takeover. This incident shows just how quickly threat actors adapt to and overcome obstacles to cybercrime, and reinforces the necessity for businesses to have visibility of the dark web to gain insight into emerging cybercriminal techniques and to educate their employees on what to look out for.”
Additionally, Erfan Shadabi, Cybersecurity Expert at comforte AG, comments on the attack: "In ransomware attacks like the one, we look for the slivers of good news: no sensitive data was compromised. But this incident underscores a harsh reality that every organization must confront: a ransomware attack isn’t just a remote possibility but rather a likely imminent event.
Organizations need to prepare for this eventuality with robust recovery capabilities combined with proactive data-centric protection. The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t extract sensitive data. Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data."