Yanluowang Ransomware Group Behind the May Attack on Cisco Systems
Reading Time: 3 minutes

Yanluowang Ransomware Group behind the May attack on Cisco Systems, though Cisco confirmed there is nothing to worry about. 

Talos, Cisco’s threat intelligence team in a blog post  stated, “we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

Yanluowang ransomware group had publicly leaked stolen data on the dark web over the weekend. Cisco confirmed the authenticity of the leaked files and confirmed its operations were not adversely affected.

According to Cisco the list of stolen files by the ransomware group included non sensitive information. The compromised account contained Google account files, Active Directory employee authentication data, and a Box folder associated with the personal Google account. Confirming that the Box data obtained by the adversary was not sensitive.

This varies with the statement from the leader of the Yanluowang, saying the group had stolen as much as 55GB of data that included such sensitive information as source codes and classified materials.

Why the Hackers Leaked Stolen Data?
According to Erich Kron, security awareness advocate at security awareness training firm KnowBe4, Cisco chose not to pay the ransomware, so their stolen data was posted for the ransom to be given. 

If your business has sensitive data that’s stolen and locked up with a “ransomware” virus, it will likely end up on the black market anyway.

The criminals initially accessed the Cisco VPN through the compromised Google account of an employee who had enabled password syncing and stored their credentials in Chrome.

Users have to choose a username, password and multifactor authentication (MFA) for their account. CryptoLocker then asks for everything so the user can get access to their account.

Talos noticed that caller impersonators were targeting people in a variety of languages. One particular employee had been getting many calls over several days, each one with an anonymous voice seeking to be routed to support departments for companies the employee trusted.

Once inside Cisco’s network, the attackers enrolled new devices for MFA and were able to authenticate them on the Cisco VPN. They then escalated administrative privileges – but this alerted CSIRT, which found that the threat group had brought in remote access software like LogMeIn and TeamViewer, as well as security tools like Cobalt Strike and Mimikatz.

The attackers used an insider’s account and found other ways to access the networks. They looked through user and group memberships, moved laterally within the network, and exploited the system using the hijacked user account.

Talos found that the hackers were not only able to get access, but had trouble getting off of the network once removed. They continued trying to hack in until they could reach a network with weak passwords.

How to Stay Protected Against Such Attacks?
KnowBe4 advises that you should fortify your platform with lots of well educated employees who are good at spotting and reporting phishing emails. They also recommend implementing a DLP system so you minimize the risk of data breach.

Erich Kron advises, “The issue of data exfiltration and threats of public disclosure is not new, but the practice is becoming common. Due to the threat of these attacks, organizations are wise to focus on preventing the network intrusion in the first place, not just quickly recovering, and should ensure that access to sensitive data is limited and tightly controlled.”

Earlier last year, Symantec’s Threat Hunter Team uncovered the Yanluowang gang and other security vendors keeping an eye on them. MDR specialist eSentire’s Threat Response Unit pointed out the IT infrastructure used in the Cisco attack in May was identical to an attempted compromise of another workforce management software company the month earlier.

Cisco is a very tempting target and it’s not just been on the hit list of Yanluowang but also Lapsus$ and FiveHands (UNC2447), another ransomware group. 

Related Articles:
Think Like a Hacker to Protect your Digital Life
Ransomware Gangs Adopt New Intermittent Encryption Tactics
Multiple Security Vulnerabilities With Baxter’s Internet-Connected Infusion Pumps