Although we covered the tactics, techniques, and procedures (TTPs) in brief last week, improving your security posture needs more. Diving deeply into the specific attack launched by the so far unnamed threat actor group against Cisco provides a great deal of information about how combined groups using both conventional and novel hacking techniques as well as ransomware gang tactics are becoming a growing issue for large organizations.
Using the attack as a learning experience, we can find out more about:
- Vishing
- Mimikatz and other open-source offensive software
- Simple PowerShell/script-based commands that caused maximum damage
With those in mind, it is important to consider your own security posture and the way that the adversary may expose an attack vector within your system. Now, on with the attack!
Understanding the Cisco Attack
The attack can be broadly broken into two parts – the initial compromise and then the techniques used with the stolen credentials. Thanks to some quick thinking by the Cisco team, the actual attack didn’t become dangerous enough to cause any real damage. However, there will be other organizations who aren’t as lucky if they are not on full alert after this attack!
Initial Compromise
The growth in the number of initial access brokers (IAB) over the last few years has been shocking for most in the cybersecurity space, especially in regard to how numerous they are. An IAB gained the credentials through a compromised Google account; the victim had accidentally saved Cisco login credentials to their Google account, meaning that the organization’s security measures were completely circumvented.
As in many cases, the Cisco compromise started with a phishing variant – in this case, voice call phishing or vishing. With credentials in hand, the threat actors started their campaign of multi-factor authentication (MFA) fatigue.
MFA fatigue is a kind of “death by a thousand cuts” for getting around secure password practices. When the threat actor starts to log into the victim profile, they automate the log in process and send a great multitude of MFA requests to the victim’s phone. Although some people who feel quite in the clue with cybersecurity might assume they are above falling for such a trick, the evidence shows that even the most paranoid of blue teamers might fall for one of these requests when their device is constantly pinging.
Lessons to learn:
- Keeping personal and work credentials separate is a necessity!
- Moving away from conventional MFA options such as phone verification to more secure options can sidestep many modern phishing techniques.
- Understanding how to approach threat intelligence – especially with leaked credential combinations – is key to preempting attacks.
Post-compromise TTPs
Before we dive into the literal commands used by the threat actors, take a look at the adversarial toolkit:
- Cobalt Strike
- Impacket
- LogMeIn
- net.exe
- ntdsutil.exe
- PowerSploit
- TeamViewer
- wevtutil.exe
Notice anything unusual here? Aside from a small number of persistence mechanisms, this team uses completely open-source, freely available software that can be downloaded from GitHub or similar repositories. If you remember back to earlier in the year, this kind of attack was launched by LAPSUS, a team that had compromised Okta.
Here is a step-by-step run through of their attempted assault on Cisco’s internal systems:
- When logged into the system, the threat actors used an unnamed Windows utility to identify the user and group membership configurations. Amusingly, the Cisco team noted that this process was almost certainly carried out manually due to the attackers continued typographical errors, allowing the defensive operation more time.
- When the utility had been used to access the Cisco VPN, the compromised user account was used as a jumping off point for lateral movement. The Cisco team said that this lateral movement was mostly to the Citrix environment, from which point they gained privileged access to a number of domain controllers.
- With the domain controllers under adversarial control, the threat actors launched ntdsutil.exe and inputted the following command:
Powershell ntdsutil.exe ‘ac I ntds’ ‘ifm’ ‘create full c:\users\public’ q q
- Because that command dumped the NTDS, the next logical step is exfiltrating the data. By using SMB TCP/445, the domain controller was used to send out data through the compromised VPN.
- Consistent lateral movement was carried out after this point, trying to access other systems. A new admin user was created on the system using net.exe, following by attempts to extract the registry information using the following commands:
reg save hklm\system system
reg save hklm\sam sam
reg save hklm\security sec
- Mimikatz was then used to attempt to dump the LSASS:
Rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump [LSASS_PID] C:\windows\temp\lsass.dmp full
And finally, before being stopped, the adversarial team attempted to cover their tracks with wevtutil.exe:
wevtutil.exe el
wevtutil.exe cl [LOGNAME]
From this point onwards, numerous attempts were made to achieve further lateral movements by the threat actors. The Cisco security teams intervened and stopped exfiltration from a number of sensitive files, which were largely stopped due to errors in the threat actors’ attacks and effective responses on the defensive side.
Lessons to learn:
- Understanding the strengths and weaknesses of your systems should extend to simple tools that are freely available online!
- Sensitive information is easily exfiltrated through intelligent use of Windows tools – planning for this attack type is difficult, but necessary in order to protect your systems.
