On August 10, 2022, Cisco officially confirmed its corporate network hack by the Yanluowang ransomware group earlier this year. The tech giant claims that the breach was reported internally on May 24 and was further investigated by Cisco Security Incident Response (CSIRT) team.
This Cisco’s security incident made the headlines after the Yanluowang threat actors leaked a list of stolen files on the darknet. The company representatives claim that adversaries could not exfiltrate sensitive data, having only acquired files from the exposed Box folder. According to the official statement released by Cisco Talos, the initial attack vector exploited by the Yanluowang gang was one employee’s failure at blocking adversaries’ phishing attempts. As a result, phishing attacks initiated by the Yanluowang gang led to the successful hijacking of a victim’s personal Google account, stealing synchronized credentials, and accessing Cisco VPN.
Use the pack of rules that cover attackers’ behavior related to a recent Cisco internal incident:
SIgma-based rules to detect adverse activity
The detections are available for 26+ SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK® framework v.10.
To scan your environment for possible ransomware-based breaches, registered users can access the full list of detection algorithms available in the Threat Detection Marketplace repository of the SOC Prime Platform. The Detect & Hunt button will provide you access to 200,000+ unique hunting queries, parsers, SOC-ready dashboards, Sigma, YARA, and Snort curated rules, Machine Learning models, and Incident Response Playbooks tailored to 26 industry-leading SIEM, EDR, and XDR technologies.
Security practitioners without an account can navigate the collection of detection content items available via the Cyber Threats Search Engine. Press the Explore Threat Context button to access a one-stop shop for curated SOC content.
Detect & Hunt Explore Threat Context
The Yanluowang ransomware gang has been around since August 2021, attacking predominantly US-based corporations. Interestingly, the ransomware family is named after a Chinese mythological character, the ruler of the underworld. The TTPs associated with this threat actor indicate similarities with approaches appropriated by UNC2447 and Lapsus$ groups.
It is no secret that ransomware operators often use social engineering as the primary infection vector. The Yanluowang threat actors also took the well-trodden path to breach Cisco’s network by applying phishing strategies to deceive a target. The adversaries launched multiple voice phishing attacks masquerading as legit orgs with the goal of duping a victim into approving multi-factor authentication notifications.
Upon establishing a foothold on the breached system, attackers moved laterally around the network, reaching the Citrix environment and getting domain admin rights. The Yanluowang operators employed tools like secretsdump, ntdsutil, and adfind for data harvesting. Evidence suggests that adversaries injected numerous malicious payloads into compromised systems.
Cisco products or services, as well as employee and customer sensitive information, remain secure despite the incident, reads the official vendor’s statement on the issue. The CSIRT team also did not confirm any ransomware deployment instances within the frames of this incident.
Withstand an avalanche of cybersecurity threats with the best-in-class solutions designed to equip SOC professionals with the tools and insight to timely identify potentially high-profile threats before attackers set up persistence mechanisms, steal data, or inject payloads. Stay up to date on threat hunting with SOC Prime!