by Jennifer Lyn Walker, Director of Infrastructure Cyber Defense
On Tuesday, WaterISAC posted a lessons learned from the compromise of Twilio, What the Twilio Breach Teaches Us About Smishing and Access to Corporate Accounts and Data, highlighting why it was successful, how it presumably leveraged employees and former employees personal mobile devices, and the importance of security awareness. While we were not told about the status of Twilio’s MFA implementation, we have subsequently learned that the same (yet to be identified) group responsible for Twilio has also attacked Cloudflare and did attempt to bypass its MFA. Similar to Twilio, the actors used the same behaviors against Cloudflare employees. According to the company, more than 100 SMS messages were sent to its employees and their families, pointing them to websites hosted on domains that appeared to belong to Cloudflare. Also similar to Twilio, three employees fell for the phish, thus providing valid credentials to the attackers who subsequently used them to attempt to access Cloudflare’s systems, at which point they were challenged with an MFA prompt. The saving grace for Cloudflare – FIDO saved the day – the company uses physical (FIDO) security keys for MFA, which prevented the attacker from accessing its systems.
Unfortunately, yesterday afternoon we learned that Cisco has suffered a similar fate as Twilio and Cloudflare in the use of employees personal accounts. Furthermore, unlike Cloudflare, through a series of social engineering tactics, Cisco's MFA implementation was bypassed by the threat actors. Cisco was compromised by the Yanluowang ransomware gang who, according to Cisco's Talos Intelligence, obtained the user’s credentials and attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka "vishing") and MFA fatigue – the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving. The actor proceeded with a series of text book behaviors – some of which were reported in Joint Cybersecurity Advisory, Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability (AA22-074A), including enrolling a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then escalated to administrative privileges, allowing them to login to multiple systems, which alerted Cisco Security Incident Response Team (CSIRT), who subsequently responded to the incident.
Despite the fact that Cisco has experienced a compromise, it has been extremely forthcoming on how the actors bypassed and further enumerated its environment. What’s more notable, the threat actor behaviors Cisco describes is NOTHING new or innovative. It's the same behaviors we read about every day – confirming that threat actors keep doing the same thing because the same thing keeps working for them. Read more on Cloudflare at SecurityWeek and on Cisco at Talos Intelligence.
Members are highly encouraged to read and distribute the Talos Intelligence post as appropriate to senior leadership and legal teams. The report is not only a good example of cyber incident response, but a great model of public disclosure for the greater global good. Yes, Cisco has a duty to the world to be as transparent as possible, but we should all be so forthcoming. Does it mean everyone needs to be public about who they are – absolutely not!! Non-attributable reporting is why the ISACs/ISAOs exist. I beg everyone to stop keeping your cyber incidents so close to the vest. ISACs/ISAOs thrive on being able to help their sectors/communities understand the threats facing them. We do that best when we receive member reports that we anonymize and report out for the benefit of all members. Sadly, far too often, the news ends up leaking from elsewhere anyway, and that's unfortunate to first hear something about a sector organization’s cyber incident from the mass-media news.
