Yanluowang Ransomware Gang attacked Cisco Employee

“A security breach was disclosed by Cisco. Yanluowang Ransomware Group compromised Cisco’s Corporate Network in late May, while stealing internal data”

An investigation was held by Cisco Security Incident Response (CSIRT) and Cisco Talos. Via that investigation, it came to light that those cybercriminals breached the credentials of an employee from Cisco. It happened after they got access to the Employee’s Personal Google Account. In that account, the adversary got the confidential data that were saved in the victim’s browser and were being synchronized.

After getting hands on the sensitive data, the adversary unleashed voice phishing attacks while trying to trick the victim into accepting the MFA Push Notification launched by the attacker. If you see in this case, the attack wasn’t that serious, but on the other side, the seriousness was still there. If the attacker gets the MFA Push Acceptance, he will get access to the VPN related to the target.

Process of Scamming

Attackers got the initial access to the Cisco VPN, which was achieved through the successful breach of a Cisco Employee’s Personal Google Account. Well, we all know that we use cloud platforms to save our extra confidential data so that whenever we need that we can get it from there in an instant.

Just like that, the victim enabled password syncing via Google Chrome. Moreover, he stored Cisco’s Credentials in his browser, which allowed data to sync to his Google Account”. Reading the Analysis Provided by Cisco Talos will help you get to know the situation perfectly.

When the attacker got the victim’s sensitive data, he tried to bypass multi-factor authentication via certain techniques, involving voice phishing (vishing) and MFA fatigue. In this technique, the attacker tries to send push requests to the victim’s mobile in a higher volume in case the victim may accept the request, or try to silence the persistent push notification.

In the disguise of some popular organizations, attackers tried to unleash a series of sophisticated voice phishing attacks. That is to convince the victim to accept the MFA Push Notification run by the adversary. In the end, cybercriminals succeed in their plan to access Victim’s VPN.

According to Talos,

  1. The attacker obtains initial access,
  2. After that, they enrolled a series of new devices for MFA
  3. Next, it was successfully authenticated to the Cisco VPN.
  4. After that, the adversary escalated to admin privileges before logging into several systems.
  5. Moreover, the cybercriminals could easily drop various tools in the targeted network, involving remote access tools such as:
  • LogMeIn and TeamViewer
  • Cobalt Strike
  • PowerSploit
  • Mimikatz, and Impacket.

Researcher, Talos

Attackers were not able to breach sensitive data from the IT giant.

“We ensured that, during the attack, the contents of the Box Folder existed in the only successful Data Exfiltration that was related to the account of the victim. In this case, the information gathered by the adversary wasn’t sensitive”.


The Yanluowang gang didn’t implant any ransomware on its network during the attack. Moreover, this ransomware group is trying to extort the company and publish listed stolen files from the company. Now, it is trying to threaten to leak all the data if Cisco is not going to pay the amount of ransom.

“While we did not observe ransomware deployment in this attack, the TTPs used were consistent with “pre-ransomware activity,” activity commonly observed leading up to the deployment of ransomware in victim environments. Many of the TTPs observed are consistent with activity observed by CTIR during previous engagements.”

Talos experts

“Our analysis also suggests reuse of server-side infrastructure associated with these previous engagements as well. In previous engagements, we also did not observe the deployment of ransomware in the victim environments.”


The best you can to save yourself from such ransomware attacks is to learn about new technologies and the advancements companies are making in fighting such attacks. Whether you know it or not, the possibility of these attacks rising is much greater than you could ever imagine. So, upgrading your techniques and knowledge is the only way to secure yourself. Learn and Grow!

Kindly read more articles :

Cyber Criminals Attacked in a Phishing Campaign!

Malicious Apps Discovered over Google Play Store

About Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Open chat
Can we help you?