- 14 Tem 2024
- 392
- 10
- 355
Threat Actor under the name IntelBroker aka. one of the members of CyberN****rs, leaked 2.9GB in BF [2024.12.17 00:19:50] which is partial data of Cisco as the proof,
while the actually main scale of the breach contains 4.5TB data. The attack operation described as highly impactful supply chain attack.
As the reported the "partial leak" includes Source code for critical Cisco products like IOS XE & XR, ISE, SASE, Umbrella, and Webex,
GitHub and SonarQube projects, Hardcoded credentials, certificates, and encryption keys, API tokens and AWS private bucket details, Confidential documents and Jira tickets.
The main reason of the Cisco breach was because of exposed data in their public-facing DevHub resource.
Cisco DevHub environment has been used to share scripts, source code, and other sensitive information with their customers.
However, the threat actor claimed the access of Cisco customers data which includes:
Microsoft, AT&T, Barclays, British Telecom, Bank of America, Verizon, Vodafone, BT, SAP, and T-Mobile.
overall the compromised B2B clients data includes over 26 production source codes. The number of impacted clients over 1,000 with unique 800 companies.
Furthermore, previously the one of the leaked sample included seven Cisco employees, with data of names, usernames, email addresses, and hashed passwords.
if we say a little info about highly active and sophisticated IntelBroker threat actor profile, which is became a member of CyberN****rs in 2023.
Due to similarities with Iranian malware variants previously used and the use of infamous Shamoon wiping tool, DoD Cyber Crime Center made a
suggestion that person might be linked to an Iranian state entity. However, IntelBroker denies these allegations, asserting independence
and claiming to be a single individual from Serbia as stated in YouTube Interview and lives in Russia for operational safety.
Threat Actor behind the breachs like: Los Angeles International Airport, Europol, Apple, AMD,
Volvo, Hilton Hotels, General Electric, Hewlett Packard Enterprise, AT&T, and Verizon..etc.
First of all, let's do some of clarification about Cisco data breach which is initially occurred on October 6, 2024 and the person
behind the breach was IntelBroker in collaboration with EnergyWeaponUser and zjj.
On October 14, 2024, a notorious threat actor known as IntelBroker posted on BreachForum, offering to sell sensitive data which is compromised on October 6, 2024.
IntelBroker informed on social media that they maintained access to Cisco’s systems until October 18, claiming a total of 12 days inside.
October 16th, EnergyWeaponUser posted on BF that he has more propriety source codes:
As well as, On October 16th at 7:12 PM IST, IntelBroker confirmed the use of hard-coded credentials on SSH servers for the continued access to
Cisco Systems which was obtained from the earlier exfiltrated data.
So even after being blocked by Cisco security team, they claimed that continues access by using hard-coded credentials.
On October 18, IntelBroker announced that Cisco had successfully closed their Docker, Maven Hub, and SSH entry points.
Cisco company reported that “We have determined that the data in question is on a public-facing DevHub environment. As of now,
we have not observed any confidential information such as sensitive PII or financial data.”
It's important to note that, Cisco breach affects not only one company and it's data theft, but compromise of
over 26 B2B clients' production source codes, and over 800 B2B customers' data exfiltration.
Cisco is continuing the investigation process to assess the breach and its impact.
https://x.com
Moderatör tarafında düzenlendi: