Cisco Systems, an American manufacturer of networking hardware, software, and telecommunications equipment, has confirmed that the data published on the dark web over the weekend by the Yanluowang ransomware gang was stolen during the May ransomware attack.
In August, Cisco disclosed it suffered a cyberattack in May, which used a compromised employees’ Google account that contained passwords synced from their web browser to gain initial access to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems and dropped a bunch of tools, including remote access software like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as well as their own backdoor accounts and persistence mechanisms.
Cisco said it was able to purge the attacker from the systems. The company attributed the attack to an initial access broker with ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators
“On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed,” Cisco’s Talos team said in an update regarding the situation.
The team added that the leak did not change its previous assessment that the incident had no impact on the company’s business, including its products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.
However, a representative of the Yanluowang ransomware group told BleepingComputer that the gang had stolen 55GB of data from Cisco, including classified documents, technical schematics, and source code. The hackers, however, did not provide any proof of their claims, except for a screenshot allegedly showing access to what appears to be a development system.
Cisco denied the possibility that the hackers had obtained or accessed any source code.
“We have no evidence to suggest the actor accessed Cisco product source code or any substantial access beyond what we have already publicly disclosed,” - Cisco said.
