Fortis Security Advisory: Cisco Reports Corporate Network Breach
Executive Summary
Cisco Security Incident Response and Cisco Talos released information on 8/10/22 regarding a security incident that occurred within the Cisco corporate network that was identified in late May of 2022. Cisco determined that although files from the incident were published to the dark web on 8/10/22, they feel confident the incident was isolated to the Cisco corporate network and does not impact any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations. Although no ransomware was deployed during this incident, the Talos team indicates that the TTPs used were consistent with “pre-ransomware activity.” As of version 1.0 of their communication release, Cisco has stated that no customer or partner action is required for Cisco products or services. Please read on for additional details.
Incident and Activity Group Details
Cisco shared that initial access was achieved through an event chain including a compromised Google account with cached Cisco credentials in the browser as well as successful voice phishing (vishing) and MFA fatigue which allowed the adversary to gain access to the Cisco VPN under the context of the target user. The attacker then continued to escalate privileges and drop well-known security tools such as Cobalt Strike, Mimikatz, Impacket, PowerSploit, and additional backdoor accounts to gain persistence in the environment. The Talos team observed tooling being staged in the Public user profile on affected systems and believes that the C2 infrastructure used was customized to this attack.
The Talos team reports the actor continued to escalate privileges and pivot through the environment using living-off-the-land techniques of exploiting trusted Windows utilities, eventually obtaining privileged domain controller access. Credentials were then dumped using ntdsutil.exe via PowerShell and exfiltrated over SMB. Additional attempts were made to enumerate the environment and extract credentials with other well-known methods such as adfind, secretsdump, MiniDump, and extracting the SAM database.
The actor is reported to have made efforts to conceal forensic artifacts by clearing Windows event logs and removing local admin accounts that they had created. They also modified firewall configurations to enable and utilize Remote Desktop Protocol (RDP) access as well as installing common remote support tools.
Cisco reports the threat actor continued to attempt to access the environment after eviction, specifically focusing on previously compromised accounts and attempting to exploit weak password hygiene and the use of newly established domains that referenced the Cisco organization. The adversary also made spear phishing attempts during this time. The Talos team assessed this activity is associated with an initial access broker tied to both UNC2447 and Lapsus$. For additional technical details and a list of IOCs, please refer to the Talos blog linked at the end of this release.
Fortis ActiveDefense Detection Coverage
Based on the tactics and techniques listed in the Talos blog, the Fortis ActiveDefense platform maintained comprehensive coverage throughout the MITRE ATT&CK phases provided in the blog. The Cisco CSIRT team also indicated they have updated their security products with intelligence gained from observing the bad actor’s techniques and shared Indicators of Compromise (IOCs) via the Talos blog. The Fortis by Sentinel SOC team is also performing dedicated threat hunting for this specific communication. If any suspicious activity around these indicators of compromise is found, a SOC analyst will be in touch.
Next Steps
The Fortis Threat Intelligence team is working diligently to review the IOCs and artifacts provided by the Talos team and implement any new detections to assist in identifying threats associated with this activity. The Fortis team will continue to monitor Cisco communication for updates – especially those that may affect Cisco partners or customers.
Additional Recommendations and Best Practices
Based on Cisco’s unique stance on visibility into this activity as a security product owner, they have provided a number of recommendations. High on the list is the recommendation for comprehensive user education to assist in thwarting social engineering attacks such as those used in this incident. Further recommendations include proper network segmentation, remote endpoint posture checking, comprehensive log collection to avoid visibility gaps, maintaining periodically tested offline backups, and command line auditing to gain visibility into suspicious activity involving trusted utilities.
As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853.
References and Additional Reading
Cisco Event Response Release: https://tools.cisco.com/security/center/resources/corp_network_security_incident
Talos Blog: https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
Cisco Security Incident Response and Cisco Talos released information on 8/10/22 regarding a security incident that occurred within the Cisco corporate network that was identified in late May of 2022. Cisco determined that although files from the incident were published to the dark web on 8/10/22, they feel confident the incident was isolated to the Cisco corporate network and does not impact any Cisco products or services, sensitive customer data or employee information, Cisco intellectual property, or supply chain operations. Although no ransomware was deployed during this incident, the Talos team indicates that the TTPs used were consistent with “pre-ransomware activity.” As of version 1.0 of their communication release, Cisco has stated that no customer or partner action is required for Cisco products or services. Please read on for additional details.
Incident and Activity Group Details
Cisco shared that initial access was achieved through an event chain including a compromised Google account with cached Cisco credentials in the browser as well as successful voice phishing (vishing) and MFA fatigue which allowed the adversary to gain access to the Cisco VPN under the context of the target user. The attacker then continued to escalate privileges and drop well-known security tools such as Cobalt Strike, Mimikatz, Impacket, PowerSploit, and additional backdoor accounts to gain persistence in the environment. The Talos team observed tooling being staged in the Public user profile on affected systems and believes that the C2 infrastructure used was customized to this attack.
The Talos team reports the actor continued to escalate privileges and pivot through the environment using living-off-the-land techniques of exploiting trusted Windows utilities, eventually obtaining privileged domain controller access. Credentials were then dumped using ntdsutil.exe via PowerShell and exfiltrated over SMB. Additional attempts were made to enumerate the environment and extract credentials with other well-known methods such as adfind, secretsdump, MiniDump, and extracting the SAM database.
The actor is reported to have made efforts to conceal forensic artifacts by clearing Windows event logs and removing local admin accounts that they had created. They also modified firewall configurations to enable and utilize Remote Desktop Protocol (RDP) access as well as installing common remote support tools.
Cisco reports the threat actor continued to attempt to access the environment after eviction, specifically focusing on previously compromised accounts and attempting to exploit weak password hygiene and the use of newly established domains that referenced the Cisco organization. The adversary also made spear phishing attempts during this time. The Talos team assessed this activity is associated with an initial access broker tied to both UNC2447 and Lapsus$. For additional technical details and a list of IOCs, please refer to the Talos blog linked at the end of this release.
Fortis ActiveDefense Detection Coverage
Based on the tactics and techniques listed in the Talos blog, the Fortis ActiveDefense platform maintained comprehensive coverage throughout the MITRE ATT&CK phases provided in the blog. The Cisco CSIRT team also indicated they have updated their security products with intelligence gained from observing the bad actor’s techniques and shared Indicators of Compromise (IOCs) via the Talos blog. The Fortis by Sentinel SOC team is also performing dedicated threat hunting for this specific communication. If any suspicious activity around these indicators of compromise is found, a SOC analyst will be in touch.
Next Steps
The Fortis Threat Intelligence team is working diligently to review the IOCs and artifacts provided by the Talos team and implement any new detections to assist in identifying threats associated with this activity. The Fortis team will continue to monitor Cisco communication for updates – especially those that may affect Cisco partners or customers.
Additional Recommendations and Best Practices
Based on Cisco’s unique stance on visibility into this activity as a security product owner, they have provided a number of recommendations. High on the list is the recommendation for comprehensive user education to assist in thwarting social engineering attacks such as those used in this incident. Further recommendations include proper network segmentation, remote endpoint posture checking, comprehensive log collection to avoid visibility gaps, maintaining periodically tested offline backups, and command line auditing to gain visibility into suspicious activity involving trusted utilities.
As the number of cyberattacks continues to increase at an exponential level, the Fortis team remains vigilant in our mission to stop breaches before they occur. We are fighting for you with 24x7x365 monitoring of your environment through our Security Operations Center (SOC), Incident Response, and Threat Intelligence teams to help lower the time to detect and respond to active threats. Our Incident Response team is always ready to engage at (844) 297-4853.
References and Additional Reading
Cisco Event Response Release: https://tools.cisco.com/security/center/resources/corp_network_security_incident
Talos Blog: https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
