Dive Brief:

• A Cisco employee was fooled by a series of voice phishing attacks and unwittingly accepted a multifactor authentication request that granted an attacker access to critical internal systems, Cisco Talos said in a Wednesday blog post.
• The threat actor accessed Cisco systems for product development and code signing, but the company says no products, services, sensitive customer or employee information, intellectual property or supply chain operations were impacted.  
• Cisco said it removed the attacker, which it has identified as an initial access broker with ties to adversaries behind the UNC2447 cybercrime gang, Lapsus$ and Yanluowang ransomware operators. 

Dive Insight:

Cisco waited until Wednesday to publicly acknowledge the attack after the threat actor published a list of files stolen during the incident on the dark web. But Cisco first learned of the intrusion on May 24. 

The adversary gained access to the employee’s Cisco credentials after the threat actor gained control of a personal Google account that synchronized login data in the victim’s browser, according to Cisco. 

The threat actor made repeated attempts to reach Cisco executives via email, but didn’t make any specific threats or extortion demands, the company said. Subsequent attempts to access Cisco’s networks were blocked and no ransomware has been observed or deployed, though the tactics, techniques and procedures were consistent with pre-ransomware activity, according to Cisco.

The threat actor dropped multiple malware payloads onto Cisco systems, took steps to cover their tracks, maintain access and increase system level access, Cisco said. The company claims the attacker was only able to exfiltrate the contents of a Box folder associated with the compromised employee’s account and employee authentication data from Active Directory.

Cisco said it contacted law enforcement and other partners, and initiated a company-wide password reset once it learned of the intrusion.