Yanluowang Gang ransomware hacked into the Cisco corporate network

The Yanluowang ransomware gang hacked Cisco's corporate network in late May and stole corporate information, the company said in a statement.

According to an investigation by Cisco Security Incident Response (CSIRT) and Cisco Talos, a hacker compromised the credentials of a Cisco employee after detecting a personal Google account in which credentials saved in the victim's browser were synchronized.

Cisco claims that an attacker targeted one of its employees and only managed to steal files from a Box folder linked to that employee's account and the employee's authentication information from Active Directory. According to the company, the data stored in the Box folder was not sensitive.

The hackers hijacked a Cisco employee's personal Google account, which contained browser-synced credentials, and used those credentials to log into the Cisco network.

After a series of sophisticated voice phishing attacks carried out by the Yanluowang gang, the hacker convinced the Cisco employee to accept multi-factor authentication (MFA) push alerts.

The Yanluowang ransomware organization claimed responsibility for the attack and claimed to have stolen approximately 3.000 files totaling 2,8 Gb in size. According to the file names disclosed by the hackers, they may have stolen NDA, source code, VPN client and other data.

The attack did not use a ransomware that encrypts files. After being removed from Cisco's systems, the hackers sent an email to Cisco executives, but it contained no explicit threats or ransom demands.

Ercole Palmeri: Innovation addicted