Cisco Talos Intelligence Group being appreciated for a detailed analysis of a cyber attack on Cisco
Image courtesy:blog.talosintelligence.com
Cisco Talos Intelligence Group on Twitter is being praised for providing a detailed analysis of a recent cyber attack on Cisco.
👊🏻Huge props to @TalosSecurity for this detailed analysis of a recent cyber attack on Cisco. This level of transparency is incredibly helpful to understand adversary tradecraft & thus contribute to the collective cyber defense of our ecosystem. #JCDChttps://t.co/7VHUz0A4qM pic.twitter.com/KOEcMs8rML
— Jen🛡Easterly (@CISAJen) August 11, 2022
Everyone gets compromised eventually – Dragos will be eventually I’m sure – removing the stigma and focusing on the actions/response is key. Kudos to the Cisco and Cisco Talos team for the compromise disclosure and detailed analysis https://t.co/KdgUbGyJ0j
— Robert M. Lee (@RobertMLee) August 12, 2022
According to blog.talosintelligence.com, On May 24, 2022, Cisco had become aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate.
During the investigation, it was determined that a Cisco employee’s credentials were compromised after a hacker gets control of a personal Google account where credentials saved in the victim’s browser were being synchronized.
The hacker had done a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the hacker.
The hacker ultimately was successful in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.
CSIRT and Talos are responding to the event and they have not identified any evidence suggesting that the hacker gains access to critical internal systems, such as those related to product development, code signing, etc.
After obtaining initial access, the hacker conducts a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment.
The hacker was removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.
