Cyber Attackers Demand Ransom From Cisco

Cisco discovered a breach of its network on May 24, 2022. A ransomware gang had gained access to the company’s virtual private network (VPN) by convincing an employee to accept a malicious multifactor authentication (MFA) push notification. The breach resulted in cyber attackers gaining access to the company’s VPN, and the company announced the theft of an unspecified number of files from its network on August 10, 2022. Compromising the employee’s personal Google account gave the attackers access to the employee’s business credentials through the synchronized password store in Google Chrome. The attackers then moved through the network by escalating privileges, logging into multiple systems, and installing remote access software tools and offensive security tools. The company acknowledged that the threat actors published a list of files stolen from the network and demanded a ransom, although they did not deploy ransomware. Cisco believes the threat actor is an initial access broker — an adversary that gains unauthorized access to corporate networks and then sells that access as a service on the Dark Web.