Networking behemoth Cisco is investigating data breach claims after prolific threat actor IntelBroker listed the company’s sensitive infrastructure information for sale on the dark web hacking forum BreachForums.
“Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files. We have launched an investigation to assess this claim, and our investigation is ongoing,” said the company.
IntelBroker and accomplices EnergyWeaponUser and Zjj allegedly pulled off the heist on June 10. They claim they stole GitHub, GitLab, and SonarQube projects, source code, hardcoded credentials, “Cisco Confidential” documents, Jira tickets, API tokens, AWS and Azure buckets, Docker builds, private and public keys, SSL certificates, product information, and more.
The threat actor has provided a small data sample including a database, customer documents, and screenshots of management portals. However, Cisco claims the data breach did not affect its internal systems.
Cisco data breach impacts major corporations
The threat actor claims that the Cisco data breach impacts hundreds of high-profile corporations including AT&T US and Mexico, Verizon, T-Mobile USA and Poland, British Telecom, Chevron, Microsoft, Vodafone, SAP, Bank of America, and Barclays.
Cisco has yet to confirm the extent of the data breach. However, with a 9/10 rating on BreachForums and having claimed other proven high-profile breaches, no evidence suggests that IntelBroker is stretching the truth.
Previous data breaches claimed by IntelBroker include General Electric, Europol, Lulu Hypermarket, Zscaler, Home Depot, Facebook Marketplace, Space-Eyes, T-Mobile, AMD, Apple, HSBC, and Barclays leaks.
The San Jose, California-based networking giant has also engaged law enforcement in the ongoing investigation. Cisco has not disclosed if the threat actor attempted to extort the company to avoid publishing the stolen data online.
Meanwhile, IntelBroker is selling the stolen information for an unspecified amount in privacy-focused Monero cryptocurrency. Some security experts claimed the threat actor demanded $90,000 in exchange for the stolen data.
Cisco downplays data breach
In a statement posted on its website on October 15, Cisco downplayed the data breach by claiming that preliminary results of its ongoing investigation strongly suggest that “there has been no breach of our systems.”
Cisco also clarified that the data breach affected a “public-facing DevHub environment.” Nonetheless, the company admitted that a “small number of files that were not authorized for public download may have been published.”
Cisco’s preliminary findings also suggest that the data breach did not impact financial or personally identifiable information. However, the company promised to engage directly with customers if it determines that the cybersecurity incident affected them.
Meanwhile, Cisco has blocked public access to the implicated development hub to terminate the threat actor’s access.
“Out of an abundance of caution, we have disabled public access to the site while we continue the investigation,” said Cisco.
However, EnergyWeaponUser claims they could still access Cisco infrastructure as of October 16 and had acquired more source code. The threat actor now claims that the Cisco data breach affects up to 1,000 clients.
While Cisco claims that only the development infrastructure was compromised, the cybersecurity incident could severely impact the company and its B2B customers.
For instance, threat actors could abuse their access to inject malicious code into Cisco products and compromise downstream clients resulting in supply chain attacks.