The Week in Cybersecurity: MFA shortcomings paved the way for Cisco breach

Security Week reports that Cisco released a security incident notice for a data breach they detected on May 24, 2022, sharing key details about the incident. Expectedly, the company shared its side of the story just days after cybercriminals published files allegedly stolen from Cisco online. In Cisco’s technical blog post detailing what happened, they believe that the attackers targeted a single employee’s personal Google account, allowing the attacker to harvest the employee’s Cisco credentials from their synced passwords. Once the attackers gained access to the employee’s Cisco account, they were asked to complete multi factor authentication (MFA).

While MFA is considered to be one of the strongest tools individuals can use to protect their accounts and sensitive information, it’s still not a perfect solution. Attackers have developed a method to bypass MFA by taking advantage of human behavior. This technique is known as MFA fatigue, in which attackers send a mass number of authentication requests, “spamming” the victim’s phone number or email address until the victim is tricked or becomes annoyed enough to engage with the communication. This technique worked for Cisco’s attackers, allowing them to connect to Cisco’s VPN and use it to log in to the company’s internal network. Once inside, attackers moved laterally, elevated permissions and ultimately obtained domain administrator roles. They then dropped remote access and post-exploitation tools to expand their control over Cisco’s internal network, with a goal of siphoning sensitive data and more.

Even though Cisco was able to detect and terminate the malicious activities, causing “no impact” to their business, the incident underscores that MFA alone cannot stop cybercriminals from breaching an organization’s network. Individuals themselves must serve as the core line of defense, using their best judgment to spot suspicious activity such as MFA fatigue.

Cisco has attributed the attack to an initial access broker with ties to UNC2447, a Russia-linked threat group that has used several kinds of ransomware. UNC2447 also has ties to Lapsus$, the gang that made headlines several months back for targeting several major companies. Additionally, the initial access broker has ties to the Yanluowang ransomware group, which has taken credit for this attack on Cisco.

News Roundup

Here are the stories that we're paying attention to this week...

GitHub Dependabot now alerts developers on vulnerable GitHub actions (The Hacker News)

Cloud-based code hosting platform GitHub has announced that it will now start sending Dependabot alerts for vulnerable GitHub Actions to help developers fix security issues in CI/CD workflows.

New 'Orchard' botnet uses Bitcoin founder's account info to generate malicious domains (The Hacker News)

A new botnet named Orchard has been observed using Bitcoin creator Satoshi Nakamoto's account transaction information to generate domain names to conceal its command-and-control (C2) infrastructure.

Researchers uncover sophisticated global Chinese hacking operation (CyberScoop)

A Chinese hacking group simultaneously used six different backdoors against more than a dozen industrial plants, research institutes, government agencies and ministries in Belarus, Russia, Ukraine and Afghanistan, researchers with Kaspersky said.

Weak cybersecurity is taking a toll on small businesses (The State of Security)

During 2020 and 2021, data breaches at small businesses globally soared 152% in comparison to the two previous years. This figure is twice as large as it was among larger companies in the same period.

Slack resets passwords after exposing hashes in invitation links (Bleeping Computer)

Slack notified roughly 0.5% of its users that it reset their passwords after fixing a bug exposing salted password hashes when creating or revoking shared invitation links for workspaces.