Cisco has refuted claims of a recent data breach after the Kraken ransomware group published sensitive information, allegedly stolen from the company’s internal network, on its dark web leak site. Cyber Press reported on the ransomware group’s claims, which included the exposure of credentials linked to Cisco’s Windows Active Directory environment.
According to the report, the leaked dataset contained usernames and their associated domains, unique relative identifiers (RIDs) for each user account, and hashed representations of passwords (NTLM hashes). The compromised accounts include privileged administrator accounts, regular user accounts, service and machine accounts linked to domain controllers, and the crucial Kerberos Ticket Granting Ticket (krbtgt) account.
The report further revealed that credential-dumping tools like Mimikatz, pwdump, or hashdump were likely used to extract this information. These tools are commonly employed by cybercriminals and advanced persistent threat (APT) groups to harvest credentials stored within system memory. Alongside the leaked data, the attackers left a threatening message, hinting at their intent to inflict further damage.
“You lied to us and play for time to kick us out. We will meet you soon, again. Next time you’ll have no chance,” attackers stated.
However, Cisco has issued an official statement contradicting the ransomware group’s claims, revealing that the exposed credentials stem from a previously disclosed security incident that occurred back in May 2022.
“Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation there was no impact to our customers,” the company stated.
Hackread.com reported a breach where attackers gained control of a Cisco employee’s personal Google account containing company credentials. Through sophisticated voice phishing (vishing) attacks, the attackers bypassed multi-factor authentication (MFA) and gained access to the target user’s VPN. Cisco confirmed it successfully removed the intruder, who made several unsuccessful attempts to regain access in the following weeks.
Cisco’s CSRIT and Talos teams found no evidence suggesting the attacker accessed critical internal systems, such as the production environment or code signing architecture.
At the time of the 2022 incident, Cisco believed the perpetrator was an initial access broker (IAB) linked to the group tracked by Mandiant as UNC2447, known for its use of the FiveHands malware, as well as the Lapsus$ threat collective and the Yanluowang ransomware operation.
While the current claims by the Kraken ransomware group involve data from an older incident, the re-emergence of this information highlights the increasing prevalence of credential-based cyberattacks and the need to implement advanced yet reliable security measures.
Organizations should adopt proactive defences, such as forced password resets, disabling NTLM authentication, implementing multi-factor authentication, monitoring access logs for unauthorized activity, and enhancing network monitoring to detect intrusion attempts.