Cisco has pushed back on claims it has been breached in a new ransomware attack after a threat actor exposed sensitive information allegedly stolen from the firm’s internal network.
The Kraken ransomware group posted the information, which according to reporting by Cyber Press contained credentials linked to Cisco’s Windows Active Directory environment, to its dark web leak site.
This data was said to include privileged administrator accounts, NTLM hashed passwords, as well as the domain’s Kerberos Ticket Granting account that could have been leveraged to forge authentication tickets.
The post was accompanied with a threat of potential future attacks on the network and security giant and a suggestion that Cisco had been attempting to remove the group from the network unsuccessfully.
Jamie Akhtar, CEO and co-founder of CyberSmart, outlined the potential damage cyber criminals could inflict leveraging the sensitive information the Kraken group claimed to have taken.
“Hypothetically, the data leaked could allow cyber criminals to do a number of potentially damaging things. For example, the domain controller credentials could allow hackers to escalate privileges within Cisco’s network, more across networks within its wider infrastructure, and access and steal sensitive data.”
But Cisco has issued a statement claiming the ‘exposed’ credentials were taken from a historic data breach which occurred around two and a half years ago.
"Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation there was no impact to our customers."
Cisco breach incident dates back to 2022
During the incident in question, attackers took control of a personal Google account that had Cisco employee credentials, according to a Cisco report on the attack published in August 2022.
After conducting a series of advanced voice phishing (vishing) attacks to bypass MFA protections, the attacker was able to gain access to the target user’s VPN.
Once they gained initial access, the attacker looked to establish persistence on the network while evading detections and escalate their privileges.
RELATED WHITEPAPER
Cisco said it was able to successfully remove the intruder, who made a series of unsuccessful attempts at regaining access in the following weeks.
It added that its CSRIT and Talos teams did not identify any evidence to suggest the attacker was able to access ‘critical internal systems’ such as its production environment or code signing architecture, for example.
At the time, Cisco declared it believed the culprit to be an initial access broker (IAB) linked to the group tracked by Mandiant as UNC2447, known for its use of the FiveHands malware, as well as the Lapus$ threat collective and the Yanluowang ransomware operation.
MORE FROM ITPRO
- AI cybersecurity robs attackers of their advantage, Cisco claims
- Cisco just launched a $1bn investment fund for AI startups
- Integration, everywhere, all at once at Cisco Live 2024
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
‘We’ve got some fabulous conditions’: Salesforce UK chief exec Zahra Bahrololoumi touts the country's tech industry potentialNews The UK remains a “priority market” for Salesforce, according to its regional CEO
-
Cisco eyes network security gains for agentic AINews New network security updates aim to secure AI agents across enterprises
-
Cisco patches critical flaw affecting Identity Services EngineThe networking giant has urged enterprises to update immediately
-
96% of businesses have low cyber-readiness, claims CiscoThe 2025 Cisco Cybersecurity Readiness Index shows a concerning number of businesses globally are unprepared for rising AI-related threats.
-
Cisco takes aim at AI security at RSAC with ServiceNow partnershipNews The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Cisco is jailbreaking AI models so you don’t have to worry about itNews Cisco's new AI Defense security solution helps organizations shore up LLM security by identifying potential flaws.
-
Cisco patches critical flaws in Identity Services EngineNews Cisco has issued patches for a pair of critical vulnerabilities affecting its Identity Service Engine (ISE).
-
Your office is now absolutely riddled with surveillance equipmentNews While workplace monitoring is shown to have a detrimental effect on morale, many firms are still charging ahead
