The Yanla Vuong ransomware gang hacks Cisco, stealing 2.8GB of data
Cisco has just confirmed that the Yanluowang ransomware gang infiltrated the company's network in late May. They also tried to blackmail Cisco with threats to leak stolen files.
Cisco further revealed that hackers were only able to collect and steal non-sensitive data from a Box folder linked to an employee's compromised account.
"Cisco experienced a security incident on the company's network in late May, and we took immediate action to prevent and eliminate intruders ," a Cisco spokesperson said.
"Cisco is not aware of any impact on our business caused by this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property or supply chain operations.
On August 10, the hacker published a list of files from this security incident on the dark web. We've also taken additional measures to protect our systems and are sharing technical details that help protect the larger security community."
Hackers from the Yamau Vuong gang gained access to Cisco's network using the credentials they stole from a Cisco employee. From the Google account that was taken from this employee, the hacker was able to log into Cisco's system through the browser's synchronization feature.
By many different tricks, the hacker also convinced this employee to accept the multi-factor authentication (MFA) token.
After breaking into the Cisco network, the hacker continued to access the Citrix server and domain controller.
"They accessed the Citrix environment, infiltrated a series of Citrix servers, and eventually gained privileged access to the domain controller ," Cisco Talos said.
After gaining administrative rights to the domain, they used enumeration tools such as ntdsutil, adfind, and secretdump to gather more information and install a series of malicious payloads into the compromised system, including a backdoor .
In the end, Cisco detected and removed the hacker from the company's environment, but they continued to try to regain access in the following weeks.
"After gaining initial access, the hacker performed a variety of activities to maintain access, reduce forensic evidence, and increase their access to systems in the environment." , Cisco Talos further revealed.
"Hacker was removed from the environment but persisted, repeatedly trying to regain access in the weeks following the attack, but those efforts were unsuccessful."
Hacker claims to steal a lot of data from Cisco
According to BleepingComputer, hackers claim they stole 2.75 GB of data from Cisco, including about 3,100 different files. Many of these files are non-disclosure agreements (NDAs), dump data, and technical drawings.
Then on August 10, the hacker also announced the Cisco hack on their own website.
No ransomware deployed
Cisco said that although the Pluto ransomware gang is known for encrypting victims' data, it found no trace of ransomware in this attack. However, signs indicate that hackers are taking steps to get ready to deploy ransomware.
Microsoft Defender on Windows 11 has enhanced ability to block ransomware
LockBit Ransomware takes advantage of Microsoft Defender itself to infect
Chinese hackers use ransomware as bait to hide cyber espionage
ChromeLoader malware rages around the world, attacking both Windows and Mac
- Data Center Network Security | Next Generation Firewall
- Help Protect Your Digital Assets Against Cyber Threats Network Security
- Network Security Software | Search Learn more Security NET
- Spam filter, Antivirus software, Proxy server | Network access control (NAC)
- Review and analysis Managed Application Support Services for AWS
The world great event
Operate and exploit advertising by iCOMM Vietnam Media and Technology Joint Stock Company.
Adress: 99 Nguyen Tat Thanh, To 2, Khu 6, Thi tran Tan Phu, Tan Phu, Dong Nai.
Email: phuongtran2191@gmail.com | Tel: (+84) 984654960
Editor in chief: Tran Nha Phuong
Company: Lucie Guillot (Nha Phuong Tran)