Cisco Talos has confirmed that a ransomware actor breached its organisation in May 2022, but has declined to confirmed rumours that substantial amounts of data were stolen.
The networking giant's security arm said on Wednesday that it first became aware of the breach on 24 May, and has been working to remediate the situation since then.
The entity behind the attack was able to use “sophisticated” techniques to steal a Talos employee’s credentials.
These included gaining control of the employee’s personal Google account, where their Talos credentials were being synchronised, and social engineering methods such as a series of convincing voice phishing messages from seemingly legitimate organisations.
The attackers were ultimately able to convince the Talos employee to accept a multi-factor authentication (MFA) prompt, giving them full control over the account and able to access the company's VPN.
MFA prompts have been criticised in the past for being abusable. A scenario that regularly appears in cyber security companies' threat models is one involving a threat actor stealing an employees' credentials and bombarding their smartphone with MFA authorisation push notifications, often during sleeping hours, in the hope that they will absent-mindedly be accepted in order to stop the disruption they cause.
This week, the effectiveness of hardware-based MFA keys was brought to light as both Twilio and Cloudflare were targeted with sophisticated phishing attacks, but only the latter prevented a full attack thanks to the company-wide use of FIDO keys in addition to MFA security prompts.
Once inside Talos’ systems, the attacker displayed tactics to establish persistence in the environment, and destroy evidence of their activities.
Talos removed the attackers and confirmed that the repeated attempts to rejoin the environment via the deployed persistence methods were unsuccessful.
“CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc,” it said in a blog post.
Talos also went on to say that some data was stolen but this was just the contents of a Box folder associated with the hacked employee, adding that none of the data was stolen.
Attributing the attack with “medium-to-high confidence” to an initial access broker (IAB) associated with LAPSUS$ and the Yanluowang ransomware gang, Talos did not comment on the alleged data posted to the latter group’s deep web leak site this week.
Yanluowang posted a text file to its online leak site on Wednesday evening, claiming to have at least had access to 82GB worth of data.
These included a broad selection of approved non-disclosure agreements (NDAs), some of which seemingly involved former long-serving Cisco employees. The text document posted by the ransomware organisation included numerous full names appearing in the file names.
Talos said no ransomware was actually deployed as part of the attack, although it seems the stolen data Yanluowang claimed to have was held to ransom, according to alleged chats between the cyber criminals and Talos.
Yanluowang first approached media outlet BleepingComputer last week with the files it claimed to have stolen. Out of the 82GB total files enumerated, according to the text document on its leak site, the ransomware outfit claimed to have stolen 2.8GB worth of data.
In chats shared with the publisher, Yanluowang claimed to have offered Talos “a very good deal” and “no one would know about the incident and data leakage” if Talos agreed to pay the ransom.
The timing of the attack, the data being leaked by Yanluowang, and Talos' blog post going live have all prompted experts to claim the threat actors ‘forced Talos’ hands’ into disclosing.
Being a US-based company, Talos isn’t compelled to disclose data breaches within a specific time frame, unlike companies bound by data protection regulations such as the GDPR, or the Data Protection Act 2018.
It is possible that Talos refused to pay a ransom allegedly served to it by Yanluowang and was forced to publish a full incident disclosure as a result.
Who is behind Yanluowang?
Yanluowang is a ransomware operation that came to prominence in 2021 after a series of targeted ransomware attacks on companies in the financial sector, as well as in IT services, consultancy, and engineering, Symantec has said.
The group offers an eponymous ransomware program and is ‘tentatively’ believed to be linked to the earlier Thieflock ransomware group.
Symantec said a number of tools, tactics, and procedures (TTPs) are the same as Thieflock’s, indicating the people behind Yanluowang may have been members of the Thieflock affiliate programme.
Yanluowang is known for abusing AdFind, a legitimate command-line Active Directory tool, and PowerShell for reconnaissance and malware downloading respectively.
Remote access via remote desktop protocol (RDP) is usually established before using a variety of open source tools to harvest credentials and steal other data such as screen captures and miscellaneous files.
