August 11, 2022

Cisco has confirmed a ransomware attack on its corporate network that happened in late May.

Behind the attack was the Yanluowang Ransomware gang. According to Cisco, the attackers were able to steal non-sensitive data from a box folder linked to the account of a compromised employee.

MFA fatigue was critical to helping the attacker break through Cisco’s network. MFA fatigue is also known as MFA prompt spamming. After gaining access to compromised login credentials, a hacker tricks a user by repeatedly sending push notifications to authorize the login.

Through MFA fatigue and a series of sophisticated voice phishing attacks that faked trusted support organizations, the attacker convinced the CISCO employee to accept multi-factor authentication (MFA) push notifications.

The employee was eventually tricked into accepting one of the MFA notifications. The attackers then gained access to the VPN in the context of the target user.

After gaining access to the corporate network, the Yanluowang operators spread laterally to Citrix servers and domain controllers.

The attackers used enumeration tools such as ntdsutil, adfind, and secretsdump to collect more information after accessing domain administrators, and then installed a number of payloads on compromised systems, including a backdoor.

Their activities were discovered by Cisco and eventually driven out of the environment.

The sources for this piece include an article in BleepingComputer.