A network breach at Cisco that took place in May appears to have stemmed from a compromised employee account. The target was peppered with voice phishing attempts and push notifications until “MFA fatigue” finally caused them to fall victim.
Cisco network breach incident demonstrates risks of “MFA fatigue”
The Cisco network breach was traced back to an employee’s personal Google account that was syncing their company login credentials via Google Chrome. The Google account was protected by multi-factor authentication (MFA), but the attacker tried a number of different voice phishing attempts to bypass it. They reportedly also posed as the technical support departments of legitimate well-known companies and sent a barrage of push requests to the target’s mobile device. MFA fatigue is thought to have been a factor as the target eventually accepted one of these requests simply to silence them, kicking off the network breach as the attacker was given access to the Cisco VPN via the user’s account.
The attacker was reportedly able to escalate privileges once in, but was not able to reach “critical” systems with direct access to Cisco products before they were detected and removed. Cisco reports that the attacker spent weeks after the removal attempting to re-establish access to the network. After Cisco mandated that employees change passwords due to the network breach, the attacker targeted compromised accounts that it believed would make only a simple single-character change to their prior password and also registered several “copycat” domain names that were most likely intended for a phishing campaign. Cisco security noticed these registrations and took action before they could be leveraged.
John Gunn, CEO of Token, observes that it only takes a relatively small chink in the armor such as this to get by some of the world’s most advanced cybersecurity programs: “Even when protected by an army of 4 million IT Security Pros with a combined IT defense spend in excess of $150 billion, we are still seeing devastating hacks that exploit the most basic element of security – user authentication. The industry needs to wake up to the fact that Push Notification is not the panacea it was sold as.”
The attackers appear to have been quite sophisticated not only in their evasion of security after accomplishing the network breach, but in their repeated voice phishing attempts. The target reported receiving calls from several different people claiming to be working with several different well-known companies, all speaking English in a variety of international dialects. Cisco’s Talos Intelligence, the group performing a forensic investigation on the network breach, has identified a known initial access broker (IAB) that has ties to North Korean state-sponsored hackers and several ransomware gangs as the culprit.
The company believes that the Yanluowang ransomware gang, a group that has been observed targeting US companies throughout 2022, was working with the broker on this attack. In late July, the attacker emailed Cisco executives several times enclosing screenshots of compromised files and indicating that they intended to extort the company. However, they never made any specific demands and did not attempt to deploy any ransomware while they had access to the network.
Voice phishing growing along with MFA fatigue as network breach threats
Talos closed out their public account of the network breach by encouraging organizations to educate employees about how to handle errant or suspicious push requests, ensuring a clear point of contact is established in the event a malicious push request is suspected, enforcing stricter device controls to keep out unknown and unmanaged devices, and implementing network segmentation where possible along with centralized log collection. Voice phishing can also be addressed via familiarity with the conditions under which tech platforms will cold-call a user, which are usually extremely limited.
Though a private for-profit criminal group appears to be responsible for this particular incident, some nation-state actors have turned to various methods of voice phishing as an attack method. The attack on defi platform Ronin in March reportedly involved fake job interviews conducted by North Korea’s state-backed hackers, which are unique among these threat groups in aggressively seeking to steal money for the regime. At least one fake crypto investment app that was taken down recently also employed women to chat with affluent male investors on the phone and convince them to make large deposits by flirting with them; while not a direct instance of voice phishing, it was an unusual length for an attacker to go to in order to inspire confidence in the target.
MFA fatigue is also increasingly appearing as a means of initial access, with attackers simply pestering targets with constant messages in the hopes they’ll agree to one. The push notification generally accompanies a login attempt, which could overlap with a period of legitimate use of the service by the target and confuse them into approving the attempt. Some may also start agreeing to the notifications simply to make them stop. The MFA fatigue approach was observed in use by Russian state-sponsored hackers in 2021, targeting Microsoft Office 365 users via phone. For those susceptible to MFA fatigue due to dealing with push notifications all day, most services now offer a two-digit phone sign-in option that has the requester confirm a number that is only displayed to the legitimate user.
Erfan Shadabi, cybersecurity expert with comforte AG, adds more general advice for protection after an initial breach: “Organizations need to prepare for this (ransomware) eventuality with robust recovery capabilities combined with proactive data-centric protection. The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t extract sensitive data. Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data.”
And Tim Prendergast, CEO of strongDM, believes that the emergence of methods such as voice phishing and MFA fatigue should prompt organizations to rethink access control strategies entirely: “Attackers are continually going after credentials because people inevitably make mistakes when moving fast to keep up with the pace of day-to-day operations. Employees might miss a misspelled word, an unknown email address or other phishing sign while going from task to task. Eliminating this risk isn’t about providing more training or putting up more access walls. Instead, organizations need to implement a process whereby users never know their credentials to critical infrastructures like servers, databases or Kubernetes clusters. Rather than point fingers, it is important for CISOs to re-evaluate the visibility and control of access across both applications and infrastructure.”