Behind the Hack: Cisco's Data Breach

Quick take: On May 24, 2022, Cisco Systems identified a cyberattack that breached its network by compromising an employee’s Google account. The hackers, who were likely affiliated with the cybercriminal syndicate Lapsus$, stole files and published them to the dark web. While ransomware wasn’t deployed, Cisco Talos researchers described the attack as “pre-ransomware activity,” which is “commonly observed leading up to the deployment of ransomware in victim environments.”
According to the researchers, “Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems.” The attackers repeatedly attempted to regain access for weeks after being expelled from the system.
Why it matters: The hackers were able to infiltrate Cisco through a “personal Google account where credentials saved in the victim’s browser were being synchronized.” They then launched a constant stream of voice phishing attacks to manipulate the employee into providing multi-factor authentication. The employee finally relented, which researchers attribute to “MFA fatigue” – when hackers send so many push notifications and other requests that the victim either gives in or makes a mistake, thereby granting access. The hackers also called multiple times and “purported to be associated with support organizations trusted by the user.” 
The Cisco attack is a prime example of the fact that social engineering remains the tactic of choice for cybercriminals. It demonstrates how persistent hackers can be in their attempts to force employees to make an error, as well as how deeply a cyberattack can infiltrate an organization by tricking a single employee into granting access. The attack is also a reminder that cybercriminals will continue to exploit the trust companies place in partner organizations – a key element of supply chain risk. 
We’ve got a hack for that: It would be difficult to find a cyberattack that proves the value of cybersecurity awareness training better than the one that hit Cisco. A core theme of NINJIO’s episodes is the concept of proactive cybersecurity awareness, which refers to the establishment of a cyber-aware culture through consistent education. A cyber-aware employee would have immediately contacted the IT team after receiving so many prompts and calls, which is a reminder that companies have to provide effective and engaging training as well as clear communication channels employees can use to report suspicious activity.
The Cisco attack should also sound the alarm for companies about the threat of supply chain attacks – hackers will continue to break into companies by impersonating or infiltrating third parties. Finally, many of our episodes focus on the threat posed by ransomware attacks – such as “See Something, Do Something” (season 6, episode 7), which is freely available for the rest of October for Cybersecurity Awareness Month.