In May this year, Cisco – with the Cisco Security Incident Response team (CSIRT) and Cisco Talos working together to stop the issue – was compromised by an unknown threat actor who has leverage a couple of familiar processes. Anyone who has been following _secpro for the past few months will recognize these techniques from a mile off, implying that some old enemies may not be working together.
Understanding the Cisco attack won’t necessarily give you simple answers to the problems posed by these threat actors. Instead, it will give you a better understanding of the types of tactics, techniques, and processes (TTPs) that the adversary is using, such as MFA fatigue.
Multi-factor Authentication Fatigue – What is that?
“You need to be lucky every time. We only need to be lucky once”.
Just like the Irish Republican Army said to Margaret Thatcher in 1984, the adversary has taken up a technique resembling attrition and relying on luck.
MFA fatigue is the technique whereby the adversary attempts to catch the victim off guard, accidentally accepting an MFA request after a rush of many requests over a short period of time. When a multitude of requests are sent to the victim’s device, the adversary is banking on one of the requests being accepted by accident or out of frustration.
Conti – back from the dead?
After a series of successful takedown operations over the last few years, the team behind Conti seemed to be falling apart. But it seems that the individuals involved have transferred their techniques over to another team or allowed their approach to be co-opted by another team. Looking at the techniques on display, it seems that Cisco has been attacked by a team consisting of an initial access broker (IAB), the team behind LAPSUS$, and the team behind Conti too.
As you can imagine, the combined skill level of these threat actors has caused serious concern for many in the industry – least of all Cisco themselves!
How was Cisco compromised?
As previously covered, MFA fatigue played an important role in compromising the Cisco system, but it wasn’t an easy task. It required teamwork from at two separate teams. Here’s a quick rundown on how the attack unfolded:
- The IAB named UNC2447 gained access to a Cisco employee’s credentials for their personal Google account. Although the specific techniques used to compromise the account have not been shared with the public, it has been revealed that the employee had stored organizational credentials in their personal account.
- After gaining the raw credentials, the attacker then launched a series of voice phishing attacks against the employee. This type of attack is also called vishing. The combination of sophisticated phone-based trickery and MFA fatigue attacks allowed the attacker to succeed in navigating around the MFA problem.
- When the MFA was broken, the attacker had access to the Cisco employee’s VPN.
- At this stage, the initial access was detected by CSIRT and Talos. The threat actors cycled through a plan to maintain access on the system, hide artifacts, and attempt to elevate their privileges.
Thinking back a few months, these techniques were very similar to the surprisingly amateur but ultimately successful tactics of the LAPSUS hacking groups. With that in mind, it seems that these attackers weren’t stopped when the authorities cracked down on them earlier in the year. Instead, they’ve just integrated better with other threat actor groups around the world.
As always, to give you a full breakdown on this attack happened, we will be analyzing the TTPs next week in detail. Remember to check next week so that you don’t miss out on our tips for avoiding the same problem!
