This document provides alerts and guidance on known current and active threats. The information provided is to inform decision makers in affected sectors and/or target groups to proactively shore up defenses and prepare mitigation strategies.
Executive Summary
A breach has been confirmed at Cisco as is evidenced by postings on a dark web forum. The threat actor IntelBroker and two other actors that go by usernames “EnergyWeaponUser” and “zjj” posted this on the 14th of October. Cisco has stated that the breach occurred on October 6th.
Key Details
- The threat actors have stated that the compromised data is the following:
- “Compromised data: Github projects, Gitlab Projects, SonarQube projects, Source code, hard coded credentials, Certificates, Customer SRCs, Cisco Confidential Documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products & More!”
- Information is minimal on the vector of compromise but some sources have said it was through a third-party vendor providing DevOps and software development support.
- This is the second breach this year for the company, with the first perpetuated by threat actor Velvet Ant (a China-attributed actor) that abused vulnerability CVE-2024-20399 to facilitate their attack chain. It is unknown if the two breaches are related.
MITIGATIONS
The following mitigations should be undertaken to reduce the likelihood of a breach and impact to critical systems.
- Ensure that all Cisco products are up to date with the latest patches and fixes available. However, any updates applied after October 6th should be examined to determine if any intrusions or suspicious behavior has occurred.
- Increased monitoring should be applied to any and all Cisco devices, in case of suspicious activity or traffic is detected on these devices.
- It is likely that further attacks will occur on Cisco devices based on the stolen materials. Thus, it warrants increased scrutiny over the long term, along with isolation and containment processes to segregate devices if suspicious activity is detected.
- Credentials related to the management of these devices, including service accounts and representative accounts, should be rotated, and MFA should be enforced for all accounts.
- Any cloud assets in use that are provided by Cisco should have accounts and access keys rotated to prevent any unauthorized access.
ANALYST COMMENTS
Given the claimed list of data stolen, it is highly likely this could facilitate further exploitation or creation of backdoors for Cisco devices. Software update vectors could also likely be vulnerable due to this. Therefore, it is important that any and all software updates for Cisco products, especially ones outside of normal scheduled maintenance are vetted and installed in segregated staging environments to ensure that proliferation of malware or other compromise activity is limited should it occur. This might also warrant prolonged monitoring, given that source code theft is most likely to lead to more vulnerabilities being potentially discovered by threat actors in secret. Users of any of Cisco cloud products should also take care to reissue access keys, credentials, and so on that are used to provide access.
REFERENCES
Cisco Investigates Breach After Stolen Data for Sale on Hacking Forum
China Nexus Threat Group Velvet Ant
https://www.sygnia.co/blog/china-nexus-threat-group-velvet-ant/
Cisco Velvet Ant Hackers
