Site icon News Azi

Cisco confirms leaked data was stolen in Yanluowang ransomware hit

Internal Cisco data leaked late last week by the China-based Yanluowang ransomware operation has been confirmed as stolen during a cyber attack earlier in 2022, but has insisted the leak poses no risk to its business, supply chain operations or customers.

The attack took place in May, but Cisco initially disclosed it on 10 August 2022 after its name appeared for the first time on Yanluowang’s dark web leak site.

At the time, it said, the attacker was likely an initial access broker (IAB) with links to a threat actor tracked as UNC2447, the Yanluowang crew, and the Lapsus$ group that attacked multiple tech firms at the start of the year.

They likely gained access after successfully phishing a Cisco employee who had stored their credentials in their personal Google account.

Ultimately, the attacker exfiltrated the contents of a Box folder associated with the compromised employee’s account, and employee authentication data from Active Directory.

In an update delivered on 11 September, Cisco’s threat intelligence unit Talos said: “On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed. 

They continued: “Our previous analysis of this incident remains unchanged – we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

According to Bleeping Computer, however, the Yanluowang gang claims it has stolen 55GB of data including classified documents, technical information, and – critically – source code, although this is unconfirmed.

Chris Hauk, consumer privacy champion at Pixel Privacy, commented: “While this is definitely a case of ‘We said, they said’, when it comes to this data breach, Cisco customers and employees should treat this breach as if the bad actors do have access to all of the data they claim to have stolen.

“That means they should be alert for phishing schemes using the possibly purloined data, while also policing their login information, making sure they have not reused their passwords anywhere.”

A comparative rarity on the cyber criminal scene given the dominance of Russian-speaking ransomware gangs, Yanluowang was first identified in late 2021 by Symantec’s Threat Hunter team, however, it seems to have been operational since at least August 2021.

It appears to be chiefly interested in organisations operating in the financial sector, but it has also targeted those specialising in consultancy, engineering, IT services and manufacturing.

According to Symantec, it uses a number of tactics, techniques and procedures (TTPs) that are associated with the Thieflock ransomware-as-a-service (RaaS) operation, possibly suggesting the presence or influence of an affiliate.

In April 2022, researchers at Kaspersky were able to crack the ransomware’s encryption after finding a flaw in its RSA-1024 asymmetric encryption algorithm, and subsequently made a free decryptor available for victims.

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – admin@newsazi.com. The content will be deleted within 24 hours.
Exit mobile version