Networking gear manufacturer Cisco has disclosed that a data breach stemming from a voice phishing (vishing) attack targeting a third-party CRM system leaked customer information.
Upon learning of the data breach on July 24, Cisco immediately disconnected the impacted CRM system to prevent further exploitation. It also launched an investigation and notified impacted individuals and relevant authorities.
“Upon learning of the incident, the actor’s access to that CRM system instance was immediately terminated and Cisco commenced an investigation. Cisco has engaged with data protection authorities and notified affected users where required by law,” it stated.
Cisco says the voice phishing attack targeted a company representative, allowing the threat actor to access a subset of basic profile information from one instance of its third-party cloud-based CRM system.
Voice phishing attack breaches Cisco’s CRM system
Cisco’s subsequent investigation determined that the threat actor obtained account profile information for customers registered on Cisco.com.
Details leaked from the CRM system included the “name, organization name, address, Cisco assigned user ID, email address, phone number, and account-related metadata – such as creation date.”
However, Cisco said the threat actor did not access “customers’ confidential or proprietary information,” or account login information, or “other types of sensitive information.”
“The scope of data exposed may seem limited, basic profile and account metadata but in the wrong hands, this kind of information is the perfect staging ground for follow-on phishing attacks, account takeover attempts, or more elaborate impersonation campaigns,” warned Ensar Seker, CISO at SOCRadar. “It’s not just about what was stolen, it’s about what attackers can now simulate or engineer using that data.”
Similarly, the cyber attack did not affect Cisco products and services, as it was confined to the third-party hosted CRM system.
Subsequently, the networking giant implemented additional security measures to prevent a similar attack and started re-educating its employees on how to avoid targeted voice phishing attacks.
“We are implementing further security measures to mitigate the risk of similar incidents occurring in the future, including re-educating personnel on how to identify and protect against potential vishing attacks,” it stated.
However, Cisco has not disclosed the number of users impacted or the identity of the threat actor behind the voice phishing attack. It also has not publicly named the third-party responsible for hosting the compromised cloud-based CRM system.
Ongoing voice phishing campaign
Meanwhile, the ShinyHunters cyber extortion gang has been attributed to a similar ongoing voice phishing campaign targeting a Salesforce-hosted CRM system used by various organizations. Salesforce also lists Cisco as one of its high-profile customers, suggesting that the cyber attack was related to the ongoing voice phishing campaign.
So far, the prolific data leaker claims to have breached over a dozen high-profile organizations via the Salesforce CRM system. Confirmed victims of the Shiny Hunter’s voice phishing campaign include Google, Chanel, Louis Vuitton, Dior, Tiffany & Co., Adidas, Allianz Life, LVMH, and the Danish jewelry maker Pandora.
The ShinyHunters’ voice phishing attacks lure employees into authorizing a rogue bulk data import OAuth application on their company’s Salesforce portal. Upon gaining access, they exfiltrate the organization’s most critical information and demand a ransom to avoid leaking the stolen data online.
Salesforce and Google had previously warned companies of the ongoing voice phishing attacks by the prolific cyber extortion gang.
While the data breach did not leak any sensitive information, Google also recently warned that the threat actor has begun sending targeted phishing messages to impacted customers.
“This incident is a stark reminder that even global technology leaders aren’t immune to highly targeted social engineering tactics like vishing,” added Seker. “What stands out here is that the compromise didn’t stem from a technical vulnerability, but from a moment of human trust being exploited. Once the attacker bypassed that human firewall, they pivoted into a third-party CRM platform, illustrating just how interconnected, and potentially vulnerable, today’s enterprise ecosystems have become.”
