Cisco has confirmed a ransomware attack on its corporate network that happened in late May.<\/p>\n
Behind the attack was the Yanluowang Ransomware gang. According to Cisco, the attackers were able to steal non-sensitive data from a box folder linked to the account of a compromised employee.<\/p>\n
MFA fatigue was critical to helping the attacker break through Cisco’s network. MFA fatigue is also known as MFA prompt spamming. After gaining access to compromised login credentials, a hacker tricks a user by repeatedly sending push notifications to authorize the login.<\/p>\n
Through MFA fatigue and a series of sophisticated voice phishing attacks that faked trusted support organizations, the attacker convinced the CISCO employee to accept multi-factor authentication (MFA) push notifications.<\/p>\n
The employee was eventually tricked into accepting one of the MFA notifications. The attackers then gained access to the VPN in the context of the target user.<\/p>\n
After gaining access to the corporate network, the Yanluowang operators spread laterally to Citrix servers and domain controllers.<\/p>\n
The attackers used enumeration tools such as ntdsutil, adfind, and secretsdump to collect more information after accessing domain administrators, and then installed a number of payloads on compromised systems, including a backdoor.<\/p>\n
Their activities were discovered by Cisco and eventually driven out of the environment.<\/p>\n