Cisco Attacked by Initial Access Broker with Ties to Yanluowang and UNC2447

An initial access broker with ties to Yanluowang and UNC2447 has attacked Cisco. Cisco confirmed the attack on August 10, 2022, disclosing that it first became aware of an intrusion on May 24, 2022. The attacker reportedly initially gained access to Cisco’s systems through the successful phishing of an employee’s personal Google account, leading to the compromise of their credentials and access to the Cisco VPN. The attacker’s techniques, tactics, and procedures also showed some overlap with the LAPSUS$ ransomware gang.

According to CSIRT, “Cisco did not identify any impact to our business as a result of this incident, including no impact to any Cisco products or services, sensitive customer data or sensitive employee information, Cisco intellectual property, or supply chain operations. On August 10, the bad actors published a list of files from this security incident to the dark web.” Cisco also initiated a company-wide password reset in response to the attack.

Background on Yanluowang and UNC2447

Yanluowang likely emerged in August 2021 from existing ransomware-as-a-service criminal operations known as Fivehands and Thieflock. UNC2447 monetizes intrusions by extorting their victims first with FIVEHANDS ransomware, followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums. Both are thought to have links to the Cisco attack.