May 28, 2023

Cisco has confirmed that it was attacked by the Yanluowang ransomware group in May 2022.

As per the statement released by Cisco, the incident occured on their corporate network in late May and that they immediately took action to contain and eradicate the bad actors. Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.


The ransomware group published some of the data it stole on Wednesday (10th Aug 2022).

On August 10 the bad actors published a list of files from this security incident to the dark web, we have also implemented additional measures to safeguard our systems and are sharing technical details to help protect the wider security community.

The company added that among a host of actions taken in response to the attack, it has reached out to law enforcement.

CSIRT and Cisco Talos, in their blog post said that the Yanluowang gang compromised a Cisco employee’s credentials after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized.


The attacker conducted a series of sophisticated voice phishing attacks under the guess of various trusted organizations attempting to convince the victim to accept MFA push notifications initiated by the attacker and ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user.

The report adds that once the attacker obtained initial access, they enrolled a series of new devices for MFA and authenticated successfully to the Cisco VPN. The attacker then was able to escalate to administrative privileges, which allowed them to login to multiple systems. That action tipped off the CSIRT, but the group used several tools ranging from remote access programs like LogMeIn and TeamViewer to offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket to maintain access.

Cisco confirmed that the only successful data exfiltrated includes the contents of a Box folder that was associated with a compromised employee’s account. The data obtained by the adversary in this case was not sensitive.


Yanluowang group took credit for the attack, Cisco said that the initial attack was actually launched by an initial access broker with ties to other groups, including the UNC2447 cybercrime gang and the Lapsus$ threat actor group.

Cisco noted, the group emailed their executives but did not make threats or extortion demands. They shared a screenshot showing the directory listing of the Box data that was previously exfiltrated.

Leave a Reply

%d bloggers like this: