Cisco Hacked 2022 by Yanluowang Ransomware Gang – Cyberattack

Cisco Hacked 2022 by Yanluowang Ransomware Gang – Cyberattack Cisco has now stated that the Yanluowang ransomware organization infiltrated their corporate network in late May and that the actor attempted to extort money from them by threatening to post stolen material online.

The corporation disclosed that the attackers could only access a Box folder that was connected to a hacked employee’s account to gather and take non-sensitive material.

Cisco did not identify any impact on our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.

“On August 10 the bad actors published a list of files from this security incident on the dark web. We have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community.”

Yanluowang email to Cisco
Yanluowang email to Cisco

Breached Using Stolen Employee Credentials

According to an investigation, a hacker snuck into Cisco’s network by stealing an employee’s personal Google account, which contained credentials synchronized from their browser and then entered the network using that employee’s stolen credentials. The attacker then impersonated a reliable company in phone calls with the employee. Through MFA fatigue and a series of sophisticated voice phishing assaults carried out by the Yanluowang gang under the guise of reputable assistance businesses, the attacker persuaded the Cisco employee to accept multi-factor authentication (MFA) push alerts. As a result, the hacker was able to access Cisco’s network using the employee’s login information. 

MFA fatigue is an attack strategy where threat actors bombard a target with multiple requests for multi-factor authentication in the hopes that they will finally accept one to stop the requests from being sent out in the future.

The threat actors were able to access the VPN in the context of the targeted user after ultimately tricking the victim into accepting one of the MFA alerts.

Once the Yanluowang operators had acquired access to the corporate network of the business, they expanded laterally to domain controllers and Citrix servers.

“They moved into the Citrix environment, compromising a series of Citrix servers, and eventually obtained privileged access to domain controllers,” Cisco Talos said.

The attackers were ultimately found and removed from Cisco’s environment, but they persisted in trying to acquire access over the subsequent weeks.

“After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment,” Cisco Talos added.

“The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.”

Cisco developed two brand-new ClamAV detections for the backdoor and a Windows exploit used for privilege elevation to aid network administrators and security experts in identifying the malware used in the assault.



Although Cisco offered some details on the backdoor and how it could be exploited to execute commands from a distance, the exploit executable that was found is not mentioned in their write-up.

The attack, however, is for  CVE-2022-24521, a Windows Common Log File System Driver Elevation of Privilege vulnerability that was submitted to Microsoft by the NSA and CrowdStrike and patched in April 2022, according to detections on VirusTotal.

Cisco further stated that, though Yanluowang gang is known for encrypting their victims’ files, it found no evidence of this tactic.

“While we did not observe ransomware deployment in this attack, the Tactics, Techniques, and Procedures (TTPs) used were consistent with ‘pre-ransomware activity,’ activity commonly observed leading up to the deployment of ransomware in victim environments,” Cisco Talos added in a different blog post published.

Executive Summary of the CISCO Breach

  • Cisco learned of a potential breach on May 24, 2022. Since then, Cisco Talos and the Cisco Security Incident Response Team (CSIRT) have been working to correct the issue.
  • After an attacker took over a personal Google account where credentials saved in the victim’s browser were being synced, it was discovered during the investigation that a Cisco employee’s credentials had been hacked.
  • The attacker used a series of sophisticated voice phishing attacks to impersonate numerous reputable companies to persuade the victim to accept push notifications for multi-factor authentication (MFA) that the attacker had started. In the end, the attacker was able to get an MFA push acceptance, which gave them access to the VPN in the context of the intended user.
  • Talos and CSIRT are reacting to the incident, and thus far, have not found any proof that the attacker was able to access any crucial internal systems, including those involved in product development, code signing, etc.
  • After gaining initial access, the threat actor engaged in several actions to keep it, reduce forensic evidence, and broaden their level of access to the environment’s systems.
  • The threat actor continually tried to recover access in the weeks after the attack but was unable to do so due to persistence. The threat actor was successfully removed from the environment.
  • It is estimated that there is a moderate to high probability that an adversary who has previously been identified as an initial access broker (IAB) connected to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators carried out this attack.

Lessons Learnt from the CISCO Breach

  1. Despite the frequent use of social engineering tactics by threat actors to breach targets, businesses still struggle to mitigate these dangers. User education is essential for preventing such attacks, and it includes ensuring that staff members are aware of the proper channels support staff will use to communicate with users so they can spot phony attempts to gain sensitive data.
  2. Ensure posture checking is set up to enforce a minimum set of security constraints before enabling VPN connections from remote endpoints. This guarantees that the connected devices adhere to the environmental security standards. This can also stop rogue devices from connecting to the corporate network environment if they haven’t already been given permission.
  3. Network segmentation is another crucial security measure that businesses should implement because it improves the protection of high-value assets and makes it possible to detect and respond to threats more quickly when they first enter an environment.
  4. Threat actors have frequently been seen aiming their attacks at backup systems to further hinder an organization’s capacity to recover from an assault. This risk can be reduced and the capacity of an organization to successfully recover from an attack can be ensured by making sure backups are offline and checked regularly.

For further information check out the following links:


Hope today’s blog was informative. If it was, let me know in the comments section what you found out interesting 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *