Cisco Confirms Data Breach, Hacked Files Leaked

Ransomware gang gained access to the companys VPN in May by convincing an employee to accept a multifactor authentication (MFA) push notification.

Cisco has confirmed a breach of its network, where the attacker used voice phishing to convince an employee to accept a malicious multifactor authentication (MFA) push. The breach resulted in cyberattackers gaining access to the companys virtual private network (VPN) and the theft of an unspecified number of files from its network, the company stated on Aug. 10.
The attacker compromised a Cisco employees personal Google account, which gave them access to the workers business credentials through the synchronized password store in Google Chrome. To bypass the MFA protecting access to Ciscos corporate VPN, the attacker attempted voice phishing, or vishing, and repeatedly pushed MFA authentication requests to the employees phone. Eventually, the worker either inadvertently, or through alert fatigue, accepted the push request, giving the attacker access to Ciscos network.
Cisco acknowledged the incident in
a brief press statement
, maintaining that the company discovered the breach on May 24 but did not identify any impact to our business as a result of the incident.
[W]e took immediate action to contain and eradicate the bad actors, remediate the impact of the incident, and further harden our IT environment, a company spokesman said in the statement sent to Dark Reading. No ransomware has been observed or deployed and Cisco has successfully blocked attempts to access Ciscos network since discovering the incident.
Breaches of technology companies have become commonplace, often as part of supply chain attacks. In one of the original supply chain attacks, in 2011, two state-sponsored groups linked to China
compromised security vendor RSA
to steal critical data underpinning the security of the companys SecurID tokens. In the most significant modern attack, the Russia-linked Nobelium group — which is Microsofts designation —
compromised SolarWinds
and used a compromised update to compromise the companys clients.
The attack on Cisco likely had multiple goals, Ilia Kolochenko, founder of cybersecurity startup ImmuniWeb, said in a statement sent to Dark Reading.
Vendors usually have privileged access to their enterprise and government customers and thus can open doors to invisible and super-efficient supply chain attacks, he said, adding that vendors frequently have invaluable cyber threat intelligence: bad guys are strongly motivated to conduct counterintelligence operations, aimed to find out where law enforcement and private vendors are with their investigations and upcoming police raids.
While some security experts characterized the attack as sophisticated, Cisco pointed out that it was a social-engineering play.
The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user, the Cisco Talos team
stated in an analysis of the attack
. Once the attacker had obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN.
With access established, the attacker then tried to move through the network by escalating privileges and logging into multiple systems. The threat actor installed several tools, such as remote access software LogMeIn and TeamViewer, as well as offensive security tools, such as Cobalt Strike and Mimikatz, both in wide use by attackers.
In addition, the attacker had extensive access to Ciscos network, using the compromised account to access a large number of systems and compromised several Citrix servers to get privileged access to domain controllers, according to the Cisco Talos analysis. The attacker used already existing remote desktop protocol (RDP) accounts to access systems, removing firewall rules to prevent them from blocking access.
While Cisco maintains that the attackers did not impact its products, services, or sensitive customer or employee data, the company did acknowledge that on Aug. 10, the threat actors published a list of files stolen from the network during the incident. While the attackers demanded a ransom,
according to one press report
, Cisco stated that the attackers did not deploy ransomware. The threat actor did install a number of offensive tools and payload to a variety of systems on Ciscos network.
Cisco believes the threat actor is an initial access broker — an adversary that gains unauthorized access to corporate networks and then sells that access as a service on the Dark Web. The threat actor appears to have ties to the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators, Ciscos Talos group stated.
The threat actor, or its affiliates, spoke in English with various international accents and dialects, and claimed to be part of a support organization known to the worker, the targeted employee told Cisco, according to the Talos analysis.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cisco Confirms Data Breach, Hacked Files Leaked