Security News > 2022 > September > Infra Used in Cisco Hack Also Targeted Workforce Management Solution

The attack infrastructure used to target Cisco in the May 2022 incident was also employed against an attempted compromise of an unnamed workforce management solutions holding company a month earlier in April 2022.

Initial access to the company's IT network was made possible by using stolen Virtual Private Network credentials, followed by leveraging off-the-shelf tools for lateral movement and gaining deeper access into the victim's environment.

"Using Cobalt Strike, the attackers were able to gain an initial foothold and hands-on-actions were immediate and swift from the time of initial access to when the attacker was able to register their own Virtual Machine on the victim's VPN network," eSentire noted.

Mx1r's ties to UNC2165 stems from overlaps in tactics and techniques with that of UNC2165, including staging a Kerberoasting attack against the Active Directory service and the use of Remote Desktop Protocol access for propagating within the company's network.

The connections notwithstanding, the Cobalt Strike "HiveStrike" infrastructure used to mount the attack is said to match that of a Conti ransomware affiliate previously known to deploy Hive and Yanluowang strains, the latter of which has since posted files stolen from the Cisco breach in late May 2022 to its data leak site.

The networking equipment maker attributed the incident to an initial access broker with links to three different collectives: UNC2447, LAPSUS$, and Yanluowang ransomware.

News URL

https://thehackernews.com/2022/09/infra-used-in-cisco-hack-also-targeted.html