Cisco confirmed that the UNC2447 cyber gang, Lapsus$ threat actor group, and Yanluowang ransomware operators breached its corporate network in May 2022 and the threat actor tried to export Cisco with the threat of leaking files.
During the cyber-attack investigation, Cisco determined that a Cisco employee’s credentials were compromised after an attacker gained control of the employee’s personal Google account where credentials saved in the victim’s browser which were being synchronized.
The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organisations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to a VPN in the context of the targeted user.
After gaining initial access, the threat actor moved to ensure access was maintained, the attacker minimized forensic artifacts and increased their level of access to systems within the ICT environment.