Cisco Victim of Phishing Attack, Files Leaked on Dark Web

Cisco has confirmed the Yanluowang ransomware group breached its corporate network in late May and the threat actor tried to extort them under the threat of leaking stolen files online.


Cisco said that the initial access vector was through the successful phishing of an employee’s personal Google account, which ultimately led to the compromise of their credentials and access to the Cisco VPN. The bad actors published a list of files from the incident to the Dark Web. Cyber experts weighed in on this attack and how organizations can prevent themselves from becoming a similar type of victim.


Tim Prendergast, CEO, strongDM

"Attackers are continually going after credentials because people inevitably make mistakes when moving fast to keep up with the pace of day-to-day operations. Employees might miss a misspelled word, an unknown email address or other phishing sign while going from task to task. Eliminating this risk isn't about providing more training or putting up more access walls. Instead, organizations need to implement a process whereby users never know their credentials to critical infrastructures like servers, databases or Kubernetes clusters. Rather than point fingers, it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure."


Arti Raman (she/her), CEO & Founder, of Titaniam

“Cisco is the latest corporation to see an employee fall victim to a phishing attack, resulting in data exfiltration followed by extortion. This attack, just like most of the attacks these days, shows that despite thorough security protocols, corporate information can be compromised via privileged credentials. It also confirms that data-related extortion has become the sole purpose of a majority of attacks and companies need to put strong data immunity measures in place ahead of time.

The most effective solution for keeping customer PII safe and minimizing the risk of extortion is data-in-use encryption, also known as encryption-in-use. Encryption-in-use provides enterprises with unmatched immunity to data-focused cyberattacks. Should adversaries gain access to structured or unstructured data by any means, data-in-use encryption keeps the sensitive information encrypted and protected even when it is actively being utilized. This helps neutralize all possible data-related leverage and dramatically limits the impact of a data breach.”

Amit Shaked, CEO and co-founder, Laminar

"While the Yanluowang ransomware group didn't actually deploy ransomware, they still managed to access Cisco's files and leak them online, seemingly to extort the company.

Information within an organization’s network is valuable to both businesses and attackers because it holds the key to a company's competitive advantage. This incident occurred through compromised Google and Box accounts, which reminds us that with a majority of the world’s data residing in the cloud, it is imperative that security becomes data-centric and solutions become cloud-native.

Solutions need to be completely integrated with the cloud in order to identify potential risks and have a deeper understanding of where data resides. Using the dual approach of visibility and protection, data security teams can know for certain which data stores are valuable targets and ensure proper controls, which allows for quicker discovery of any data leakage.”

Danny Lopez, CEO, Glasswall

“This latest Cisco incident should serve as a reminder of how important the human element is in the world of cybersecurity. Without employees having a proper understanding of online security risks, organisations can be left defenceless against hackers. In this instance, a staff member's personal Google account was compromised, and likely through poor password hygiene, their work account was then accessed, allowing adversarial access to internal files.

According to the IBM Cost of a Data Breach Report 2022, stolen credentials are the most common attack vector, leading to 20% of breaches costing an average of USD $4.37 million. And the newly released Verizon Data Breach Investigations Report showed that credential theft and phishing were responsible for nearly two-thirds of breaches in the last year.

The solution to fending off cyberattacks at both an individual and company level is twofold: training and technology. Training will arm employees to be alert to risks and follow best practices. This can be as simple as using strong passwords and multi-factor authentication, not opening links and/or attachments from unfamiliar sources, and using anti-virus software.

On the technology side, taking a proactive, zero trust (never trust/always verify) approach when it comes to security can not only protect the companies that implement them but their customers as well. Having these measures in place will not only assist with preventing attacks, but it’s also more cost effective and efficient than using employees as an organisation’s first line of defence. By combining training and technology, individual, company, and client data privacy is significantly more achievable for organisations around the globe.”


###