Cisco Networks hacked by Yanluowang Ransomware Group

CISCO iOS Cisco Routers
Advisory ID:
August 12, 2022


Cisco has reported a security incident on their corporate network. Although, the company has said it did not identify any impact to their business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations. However, on August 10 the bad actors published a list of files from this security incident to the dark web.

Description & Consequence

The Yanluowang threat actors gained access to Cisco's network using an employee's stolen credentials after hijacking the employee's personal Google account containing credentials synced from their browser.

The attacker convinced the Cisco employee to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the Yanluowang gang that impersonated trusted support organizations.

The hacker gained access to the personal Gmail account which had Cisco VPN credentials saved in that account. Due to the fact that MFA was required for VPN authentication, the hacker used MFA push spamming (sending multiple MFA prompts to the user's phone), as well as impersonating Cisco IT support and calling the user. After connecting to the VPN, the hackers added new devices to the MFA list. This eliminated the need to repeatedly spam the user, allowing them to log into the network and begin moving laterally. The threat actor claimed to have stolen 2.75GB of data, consisting of approximately 3,100 files. Many of these files are non-disclosure agreements, data dumps, and engineering drawings. While Cisco claims it has not yet observed ransomware deployment in this attack, the Tactics, Techniques, and Procedures (TTPs) used were consistent with 'pre-ransomware activity,' which is commonly observed prior to ransomware deployment in victim environments.

Successful exploitation will result in, among other things, the following:

i. Ransomware deployment to compromise the systems.

ii. Sensitive products and customers data theft and exposure.

iii  Huge financial loss to organizations by incurring significant indirect costs, and could also mar their reputations.


  1. The first step to preventing ransomware attacks is to ensure that employees are using strong, unique passwords for every account and enabling multi-factor authentication (2FA) wherever it’s supported.
  2. In response to the attack, Cisco has immediately implemented a company-wide password reset. Users of Cisco products should ensure a successful password reset.
  3. As a precaution, the company has also created two Clam AntiVirus signatures (Win.Exploit.Kolobko-9950675-0 and Win.Backdoor.Kolobko-9950676-0) to disinfect any potentially compromised assets. Clam AntiVirus Signatures (or ClamAV) is a multi-platform antimalware toolkit that can detect a wide range of malware and viruses.
  4. User education is critical in thwarting this type of attacks or any similar attacks, including ensuring that employees are aware of the legitimate channels through which support personnel will contact users, so that employees can identify fraudulent attempts to obtain sensitive information.
  5. Organizations should ensure regular systems backup.



Related Articles