Cisco confirms data breach, hacked files leaked

Cisco has confirmed a breach of its network, where the attacker used voice phishing to convince an employee to accept a malicious multifactor authentication (MFA) push. The breach resulted in cyberattackers gaining access to the company’s virtual private network (VPN) and the theft of an unspecified number of files from its network, the company stated on Aug. 10.

The attacker compromised a Cisco employee’s personal Google account, which gave them access to the worker’s business credentials through the synchronized password store in Google Chrome. To bypass the MFA protecting access to Cisco’s corporate VPN, the attacker attempted voice phishing, or vishing, and repeatedly pushed MFA authentication requests to the employee’s phone. Eventually, the worker either inadvertently, or through alert fatigue, accepted the push request, giving the attacker access to Cisco’s network.

Cisco acknowledged the incident in a brief press statement, maintaining that the company discovered the breach on May 24 but “did not identify any impact to our business as a result of the incident.”

“[W]e took immediate action to contain and eradicate the bad actors, remediate the impact of the incident, and further harden our IT environment,” a company spokesman said in the statement sent to Dark Reading. “No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Cisco’s network since discovering the incident.”

Breaches of technology companies have become commonplace, often as part of supply chain attacks. In one of the original supply chain attacks, in 2011, two state-sponsored groups linked to China compromised security vendor RSA to steal critical data underpinning the security of the company’s SecurID tokens. In the most significant modern attack, the Russia-linked Nobelium group — which is Microsoft’s designation — compromised SolarWinds and used a compromised update to compromise the company’s clients.

The attack on Cisco likely had multiple goals, Ilia Kolochenko, founder of cybersecurity startup ImmuniWeb, said in a statement sent to Dark Reading.

“Vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply chain attacks,” he said, adding that “vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counterintelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids.”

To read the complete article, visit Dark Reading.