One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 6235384 |
| Date de publication | 2022-08-10 15:44:23 (vue: 2022-08-10 20:06:00) |
| Titre | Cisco Talos shares insights related to recent cyber attack on Cisco |
| Texte | Executive summaryOn May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate. During the investigation, it was determined that a Cisco employee's credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim's browser were being synchronized. The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. CSIRT and Talos are responding to the event and we have not identified any evidence suggesting that the attacker gained access to critical internal systems, such as those related to product development, code signing, etc. After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment. The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful. We assess with moderate to high confidence that this attack was conducted by an adversary that has been previously identified as an initial access broker (IAB) with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. For further information see the Cisco Response page here. Initial vectorInitial access to the Cisco VPN was achieved via the successful compromise of a Cisco employee's personal Google account. The user had enabled password syncing via Google Chrome and had stored their Cisco credentials in their browser, enabling that information to synchronize to their Google account. After obtaining the user's credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka "vishing") and MFA fatigue, the process of sending a high volume of push requests to the target's mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. Vishing is an increasingly common social engineering technique whereby attackers try to trick employees into divulging sensitive information over the phone. In this instance, an employee reported that they received multiple calls over several days in which the callers – who spoke in English with various international accents and dialects – purported to be associated with support organizations trusted by the user. Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted our Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident. The actor in question dropped a variety of tools, including remote access tools like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, and added their own backdoor accounts and persistence mechanisms. |
| Envoyé | Oui |
| Condensat | after based centralized in mitre net once reg the throughout win 184a2570d71eedc3c77b63fd9d2a066cd025d20ceef0f75d428c6f7e5c6965f3 2fc5bf9edcfa19d48e235315e8f571638c99a1220be867e24f3965328fe94a03 542c9da985633d027317e9a226ee70b4f0742dcbc59dfd2d4e59977bb870058d 61176a5756c7b953bc31e5a53580d640629980a344aa5ff147a20fb7d770b610 753952aed395ea845c52e3037f19738cfc9a415070515de277e1a1baeff20647 8df89eef51cdf43b2a992ade6ad998b267ebb5e61305aeb765e4232e66eaf79a 8e5733484982d0833abbd9c73a05a667ec2d9d005bbf517b1c8cd4b1daf57190 99be6e7e31f0a1d7eebd1e45ac3b9398384c1f0fa594565137abb14dc28c8a7f bb62138d173de997b36e9b07c20b2ca13ea15e9e6cd75ea0e8162e0d3ded83b7 eb3452c64970f805f1448b78cd3c05d851d758421896edd5dfbe68e08e783d18 ip after apart attack auditing c: cisco commands consistent csirt during executive for given hashes initial netsh network once post prior tasklist the unc2447 we wevtutil while /add c: /addthis /deleteto /f hklm /fthis 0 win 0 threat 001 002 003 004 005 012 10 185 100 101 102 109 110 1132 114 115 178 1150 116 117 5 118 134 119 128 13 185 130 194 131 133 136 136 24 137 138 45 140 138 141 142 142 82 143 45 144 145 145 139 149 15 185 150 153 154 16 185 160 161 163 162 164 176 165 17 165 170 45 171 177 177 64 178 179 183 188 188 161 189 45 190 190 45 191 192 194 194 domains cisco 198 2 185 20 139 20 185 200 201 108 2021 2022 203 74 205 206 185 207 45 209 210 159 210 67 211 165 215 45 216 218 165 219 220 224 227 228 23 167 232 236 238 239 241 241 64 242 185 244 162 244 185 246 248 143 250 192 251 251 68 255 27 162 33the 34 174 34 185 39 172 4 76 41 94 43 45 43 66 45 185 47 131 4844 5 45 52 172 56 65 6 185 60 73 63 68 65 185 7 52 71 139 73 166 73 185 77 87 79 185 83 46 8xfollowing 8xthe 91 172 98 195 98 74 99 143 9950675 9950676 ability able about accents accept acceptance accepts access access att&ck accessibility accidentally account account: accounts achieved achieving across action actions active activities activity actor actors add added adding additional additionally addresses 104 addresses costacancordia adfind administrative administrator administrators adversary advfirewall aforementioned after agent alerted allowing already also alternative analysis analysisthe analyze analyzed anomalous anonymization another any applewebkit/537 application applications approved are arise array arrests artifacts assess assets associated asymmetric att&ck attack attack; attacker attackers attacks attempt attempted attempting attempts attributionbased authenticate authenticated authentication aware backdoor backup backups based baseline became been before began beginning behavior being believed below benign between blobs both botid= box breaches broker browser built but bypass called callers calls can capabilities case cases centrally cf cisco cf ciscovpn1 cf mycisco challenges changed changes channel: character checking chrome chrome/99 cisco citrix clamav clear cmd cobalt code coerce collected collection com com email com ciscovpn2 com ciscovpn3 com devcisco com devciscoprograms com helpzonecisco com kazaboldu com pwresetcisco command commands common commonly communicates communications company complete completely compromise compromised compromisethe compromising comsvcs conducted conducting confidence configuration |
| Tags | Threat Ransomware Malware Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.