Cisco confirmed today that it took its public DevHub portal offline after a threat actor leaked “non-public” data, but it continues to state that there is no evidence that its systems were breached.
“We have determined that the data in question is on a public-facing DevHub environment—a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed,” reads an updated statement from Cisco.
“At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published.”
Cisco says there are no indications that personal information or financial data was stolen but is continuing to investigate what data may have been accessed.
This statement comes after a threat actor known as IntelBroker claimed to have breached Cisco and attempted to sell data and source code stolen from the company.
BleepingComputer spoke to IntelBroker about the alleged breach, who said he gained access to a Cisco third-party developer environment through an exposed API token.
During Cisco’s investigation, IntelBroker grew increasingly frustrated when the company would not acknowledge a security incident, sharing screenshots with BleepingComputer to prove he had access to a Cisco developer environment.
These screenshots and files, which we also shared with Cisco, showed that the threat actor had access to most, if not all, of the data stored on this portal. This data included source code, configuration files with database credentials, technical documentation, and SQL files.
It is unclear what customer data was stored on these servers, and none was shared with us.
IntelBroker further claimed to have continued access until today, when Cisco blocked all access to the portal and the compromised jFrog developer environment. The threat actor also said he lost access to a Maven and Docker server related to the DevHub portal but did not share any proof of said access.
When asked if he attempted to extort Cisco not to publish stolen data, IntelBroker said he did not try as they would likely not trust him to keep his word.
“I wouldn’t trust a threat actor if they asked for money not to leak my stuff, so they shouldn’t either,” IntelBroker told BleepingComputer.
While Cisco continues to say that no systems were breached, everything we have seen does indicate that a third-party development was breached, allowing the threat actor to steal data.
BleepingComputer reached out to Cisco with further questions about these claims, but a reply was not immediately available.