• EN

Recent Ransomware attack on Cisco

Iams3le
Userlevel 7
Badge +9

Having read and analyzed this myself, employees make these mistakes day in and day out. User Awareness Training is never enough!!!
 

In cyber security, there are two types of companies, those that have been hacked and those that are yet to be hacked :-) Recently, Microsoft was in the news, and now Cisco. You may want to read about the attack: https://www.bleepingcomputer.com/news/security/cisco-hacked-by-yanluowang-ransomware-gang-28gb-allegedly-stolen/

Some security experts have simplified and explained the breach! Kindly employ ways to increase and improve your security defenses, else you will pay the real-life costs of getting breached.

 

Today, I was just discussing and shedding light on this guide below and I highlighted that despite the attacks perpetrated on 2FA, it Is still highly recommended to employ it (still far better than the alternative of simply relying on a username and a strong password), and also never underestimate user awareness training whenever possible… 

 

 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]

14 comments

Chris.Childerhose
Userlevel 7
Badge +20

Yeah we educate and use MFA here where I work now for almost everything.  So it is really interesting reading this stuff.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
MicoolPaul
Userlevel 7
Badge +20

This has been a commonly critiqued flaw of Push Notification driven MFA, presenting a OTP prompt is better where possible as the user can’t suffer MFA fatigue and just permit the access, though rate limiting MFA requests would also be a good place to start.

 

When supplying a OTP, unless the user sees a prompt, they won’t seek out a code from their MFA device.

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
Iams3le
Userlevel 7
Badge +9

This has been a commonly critiqued flaw of Push Notification driven MFA, presenting a OTP prompt is better where possible as the user can’t suffer MFA fatigue and just permit the access, though rate limiting MFA requests would also be a good place to start.

 

When supplying a OTP, unless the user sees a prompt, they won’t seek out a code from their MFA device.

I agree! If you aren’t careful and observant, the push notification isn’t for you 😁 Gmail, WordPress, Deloitte and yahoomail all employ the Push notification. Therefore, extreme care must be taken else you will be granting the big boys access to your act :-(

OTP can be tiring to be honest, but this can eliminate a lot of flaws present in the push notification. You will hardly be found wanting as you will have to go through the rigorous process of supplying the OTP. 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]
Iams3le
Userlevel 7
Badge +9

Also be weary of hyperlinks, only click on links from reputable sites, blogs, and company webpage etc: https://www.bleepingcomputer.com/news/security/twilio-discloses-data-breach-after-sms-phishing-attack-on-employees/

I am sure you don’t want to be identified as the compromised employee 😂 Note, this can happen to anyone.

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]
MicoolPaul
Userlevel 7
Badge +20

This has been a commonly critiqued flaw of Push Notification driven MFA, presenting a OTP prompt is better where possible as the user can’t suffer MFA fatigue and just permit the access, though rate limiting MFA requests would also be a good place to start.

 

When supplying a OTP, unless the user sees a prompt, they won’t seek out a code from their MFA device.

I agree! If you aren’t careful and observant, the push notification isn’t for you 😁 Gmail, WordPress, Deloitte and yahoomail all employ the Push notification. Therefore, extreme care must be taken else you will be granting the big boys access to your act :-(

OTP can be tiring to be honest, but this can eliminate a lot of flaws present in the push notification. You will hardly be found wanting as you will have to go through the rigorous process of supplying the OTP. 

Don’t get me started on gmail. The most ridiculous, anti-security minded measure I’ve seen is if you’re signed into the YouTube app, gmail sends its push notifications to that app! And you can’t change that setting! A streaming app is not an authentication app.

You wouldn’t open windows media player to sign into M365 🤯

Michael Paul - #VeeamLegend | #VeeamVanguard | Veeam Certified Architect | VMware vExpert | https://micoolpaul.com | Twitter: @MicoolPaul | Mastodon: @micoolpaul@masto.nu | Bluesky: @micoolpaul.bsky.social
regnor
Userlevel 7
Badge +14

At first this didn't sound so serious, but after reading all the details...Getting access to the domain controllers and dumping NTDS is like the worst case?

What I don't understand. The attack has been in May, but when did Cisco actually detect the breach and stop the attackers? And did they now disclose the breach because the hackers published their data, or was it the other way around?

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
dips
Userlevel 7
Badge +7

At first this didn't sound so serious, but after reading all the details...Getting access to the domain controllers and dumping NTDS is like the worst case?

What I don't understand. The attack has been in May, but when did Cisco actually detect the breach and stop the attackers? And did they now disclose the breach because the hackers published their data, or was it the other way around?

This provides a good overview:
Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Cisco Talos shares insights related to recent cyber attack on Cisco

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk
dips
Userlevel 7
Badge +7

So it sounds like Cisco only disclosed the breach once the hackers started publishing their data.

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk
regnor
Userlevel 7
Badge +14

@dips I also read their blog post and came to the same conclusion. While it is bad publicity to have security issues as a security vendor, not talking about such a breach is even worse; just in my opinion.

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard
dips
Userlevel 7
Badge +7

@dipsI also read their blog post and came to the same conclusion. While it is bad publicity to have security issues as a security vendor, not talking about such a breach is even worse; just in my opinion.

I’d agree with that. I begin to think, ‘What else are they hiding?’

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk
Iams3le
Userlevel 7
Badge +9

So it sounds like Cisco only disclosed the breach once the hackers started publishing their data.

I agree with you. I think they tried to prevent reputational damage. But at least it should never be concealed. Just my opinion only!

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]
Iams3le
Userlevel 7
Badge +9

They are based in the US and this (GDPR) does not apply “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay”. 

 

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]
dips
Userlevel 7
Badge +7

They are based in the US and this (GDPR) does not apply “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay”. 

 

I’d argue that if they were processing EU Citizen data, even in the US, GDPR to some extent applies to them. 

This gives a good overview: https://termly.io/resources/articles/gdpr-in-the-us/

Happy for any clarification as I am no GDPR expert

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2023 | www.dipen.co.uk
Iams3le
Userlevel 7
Badge +9

They are based in the US and this (GDPR) does not apply “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay”. 

 

I’d argue that if they were processing EU Citizen data, even in the US, GDPR to some extent applies to them. 

This gives a good overview: https://termly.io/resources/articles/gdpr-in-the-us/

Happy for any clarification as I am no GDPR expert

> I’d argue that if they were processing EU Citizen data, even in the US, GDPR to some extent applies to them. 

You are right! But it cannot be so effective as those companies residing within the EU. Just my opinion...

[Microsoft MVP | Veeam Legend 5* | VMware vExpert 4* | Cisco Champion 3* | Object First Ace]

Comment


Terms & Conditions