Cisco employee falls victim to voice phishing scam, resulting in stolen confidential data
In a recent development, American multinational technology conglomerate Cisco has confirmed a data breach by the hacker group ShinyHunters. The breach, which was discovered on May 24, has been contained, and no products, services, sensitive customer or employee information, intellectual property, or supply chain operations were affected.
According to Cisco's statement, the threat actor had access to Cisco systems related to product development and code signing. However, the attacker was only able to exfiltrate the contents of a Box folder associated with the compromised employee's account and employee authentication data from Active Directory.
The threat actor, identified as an initial access broker with links to the UNC2447 cybercrime gang, Lapsus$, and Yanluowang ransomware operators, published a list of files stolen during the incident on the dark web before Cisco's public announcement. The attacker made repeated attempts to reach Cisco executives via email, but didn't make any specific threats or extortion demands.
The tactics, techniques, and procedures used in the attack were consistent with pre-ransomware activity. The attacker gained access to the employee's Cisco credentials by controlling a personal Google account that synchronized login data in the victim's browser. Subsequent attempts to access Cisco's networks were blocked, and no ransomware has been observed or deployed.
Cisco Talos, the company's threat intelligence, and research organisation, issued a blog post about the incident on Wednesday. In response, Cisco initiated a company-wide password reset and contacted law enforcement and other partners once it learned of the intrusion. The attacker has been removed from Cisco systems.
Notably, the incident involved voice phishing attacks. A Cisco employee was tricked into accepting a multi-factor authentication request, granting an attacker access to critical internal systems.
Despite the breach, Cisco maintains that its products, services, sensitive customer or employee information, intellectual property, and supply chain operations were not affected. The company reassures its customers and partners that it is committed to maintaining the highest standards of security and will continue to take proactive measures to protect its systems and data.
