CISCO has confirmed that the initial access to its network in an attempted May 2022 ransomware attack was a compromised employee’s personal Google account. The account contained credentials that had been synched from their browser.
The attack involved multiple voice phishing calls where the attacker impersonated trusted support organizations, and used the MFA fatigue tactic, where multiple push notifications are sent in the hope that the victim will eventually click one to prevent further notifications from being generated. When one of those push notifications was clicked, the attacker was able to access the Virtual Private Network in the context of that user, thus gaining access to the corporate network. The threat actor was then able to move laterally to Citrix servers and domain controllers, and installed several payloads, including a backdoor.
CISCO said the attack was conducted by the Yanluowang ransomware operation, which is named after the Chinese deity Yanluo Wang. The ransomware operation has been active since at least October 2021 and has conducted attacks on several large companies. In this attack, CISCO said the gang had not encrypted any files on its network, and the investigation into the security breach found no evidence of any ransomware payloads being downloaded.
CISCO said that the tactics, techniques, and procedures used by the gang were consistent with those used in the pre-ransomware deployment phase of Yanluowang ransomware attacks, so were it not for the rapid detection of the intrusion, ransomware would likely have been deployed. The Yanluowang ransomware gang has claimed credit for the attack; however, Cisco said the methods used in the attack suggest it was conducted by an initial access broker with links to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operation.
On Wednesday this week, the Yanluowang ransomware gang announced on its data leak site that it was behind the attack and was able to exfiltrate 2.8GB of data, a sample of which was published on the gang’s data leak site with a promise to release further files if the ransom is not paid. CISCO reports that it found no evidence of the exfiltration of sensitive data but has confirmed that a Box folder linked to the employee’s Google account may have been accessed, but the folder contained no sensitive data.
The CISCO Talos Team has published an in-depth report of the attack, including its incident response that helped slow the progression of the attack. CISCO also reports that after detecting and neutralizing the attack, the threat actor made several further attempts to regain access to the network over the next few weeks. Details of the attack and response have been shared to help network defenders detect attacks on their own networks.