Cisco Denies New Breach, Says Ransomware Group’s Leak Tied to 2022 Hack
Cisco has refuted claims of a new security breach after the Kraken ransomware group leaked what it described as sensitive internal data. The networking giant clarified that the exposed credentials stem from an old security incident that occurred in May 2022.
Ransomware Group’s Claims
The Kraken ransomware group recently posted data on its dark web leak site, alleging it was stolen from Cisco’s internal network. According to Cyber Press, the leaked information included:
- Credentials linked to Cisco’s Windows Active Directory environment
- Privileged administrator account details
- NTLM hashed passwords
- The domain’s Kerberos Ticket Granting account
Kraken also suggested that Cisco had struggled to remove them from its systems and hinted at potential future attacks.
Cisco’s Response: No New Breach
In response, Cisco issued a statement confirming that the data originated from a historic security breach and not a new cyberattack. The company emphasized that the original incident had been fully addressed and posed no threat to its customers.
"Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation, there was no impact to our customers."
Looking Back at the 2022 Incident
The original breach took place in May 2022, when attackers gained access to an employee’s personal Google account that stored Cisco credentials. Using voice phishing (vishing) tactics, the attackers bypassed multi-factor authentication (MFA) and gained access to the company’s VPN.
Once inside, the attackers attempted to escalate privileges and maintain persistence within Cisco’s network. However, Cisco’s security teams were able to remove them, preventing further access to critical internal systems such as production environments or code-signing architecture.
At the time, Cisco attributed the attack to an initial access broker (IAB) associated with groups like UNC2447, Lapsus$, and the Yanluowang ransomware operation.
Ongoing Cybersecurity Challenges
Jamie Akhtar, CEO and co-founder of CyberSmart, warned that, hypothetically, the exposed credentials—if still valid—could allow cybercriminals to escalate privileges, move laterally across networks, and exfiltrate sensitive data. However, Cisco maintains that the attackers were successfully removed and that no new compromise has occurred.
No comments:
Post a Comment