Cisco has reportedly suffered a significant data breach, with sensitive credentials from its internal network and Windows Active Directory environment leaked online. The attack is allegedly linked to the Kraken ransomware group, which published a dataset containing usernames, security identifiers (SIDs), and NTLM password hashes on its dark web blog.
The attackers left a threatening message with the leaked data, hinting they may have maintained long-term access to Cisco’s network, raising serious security concerns.
The Breach and Leaked Data
According to a Cyber Press Research report, the dataset leaked by the attackers includes highly sensitive information:
- Usernames and Domains – Identifying user accounts and their associated domains
- Relative Identifiers (RIDs) – Unique identifiers for user accounts
- NTLM Hashes – Hashed versions of passwords that can be cracked through brute-force or dictionary attacks
The leaked credentials appear to have been extracted from Cisco’s Windows Active Directory environment using widely known credential-dumping tools such as Mimikatz, pwdump, or hashdump. These tools are commonly used by cybercriminals and advanced persistent threat (APT) groups to extract credentials from Local Security Authority Subsystem Service (LSASS) memory or other system components.
Compromised Accounts Include:
- Privileged administrator accounts (e.g., Administrator:500)
- Regular user accounts
- Service and machine accounts tied to domain controllers (e.g., ADC-SYD-P-1$, ADC-RTP-P-2$)
- krbtgt account (used for Kerberos ticket management)
The exposure of NTLM password hashes is particularly alarming. These hashes can be leveraged in attacks like Pass-the-Hash, Kerberoasting, and privilege escalation, potentially giving attackers control over critical systems.
Potential Impact
The breach could have severe consequences for Cisco’s corporate environment. Attackers might use the compromised credentials to:
- Escalate Privileges – Gain higher-level access within Cisco’s network
- Deploy Ransomware – Infect critical systems with malicious payloads
- Lateral Movement – Spread across systems to establish persistent access
- Exfiltrate Sensitive Data – Steal corporate and customer information
- Conduct Advanced Attacks – Use techniques such as Golden Ticket and Silver Ticket attacks to maintain access
The presence of domain controller credentials indicates deep network access, suggesting this breach may be the work of an organized cybercrime group or a nation-state actor.
Mitigation and Prevention
Cybersecurity experts recommend the following steps to mitigate the risks:
- Forced Password Resets – For all affected user and service accounts
- Disable NTLM Authentication – Where feasible, to reduce credential reuse risks
- Implement Multi-Factor Authentication (MFA) – To limit the impact of stolen credentials
- Monitor Access Logs – Detect unauthorized activity and privilege escalation attempts
- Enhance Network Monitoring – Identify further unauthorized access attempts
In addition, organizations should adopt proactive security measures such as endpoint detection and response (EDR), strong password policies, and regular audits of authentication systems to stay ahead of potential threats.
No comments:
Post a Comment