Experts from eSentire established that the infrastructure used to hack Cisco in May 2022 was exploited to compromise an unnamed HR solutions company a month earlier.
Researchers believe that malicious actors associated with Evil Corp. are behind these incidents.
Let me remind you that we also said that Cisco Won’t Fix an RCE Vulnerability in Old RV Routers.
Let me remind you that in August 2022, Cisco representatives confirmed that in May, the company’s corporate network was hacked by the Yanluowang extortionist group. Later, the attackers tried to extort money from Cisco, otherwise threatening to publish the data stolen during the attack in the public domain. Then the company emphasized that the hackers managed to steal only non-confidential data from the Box folder associated with the hacked employee account.
eSentire analysts now say that the attack could have been the work of a criminal known as mx1r. It is believed that he is a member of one of the “branches” of the well-known Russian-speaking group Evil Corp (aka UNC2165).
The researchers write that the victim’s network was initially accessed using stolen VPN credentials, and then the attackers used ready-made tools for lateral movement.
Researchers suspect mx1r’s connection with Evil Corp due to the coincidence of a number of attackers’ tactics, Including due to the organization of a kerberoasting attack on the Active Directory service and the use of RDP for promotion in the company’s network.
At the same time, despite these connections, the HiveStrike infrastructure used to organize the attack generally corresponds to the infrastructure of one of the “partners” of the Conti group, which had previously distributed the Hive and Yanluowang ransomware. These hackers eventually published the data stolen from Cisco on their dark web site.
Cisco representatives themselves wrote that the attack was most likely “carried out by an attacker who was previously an initial access broker and had connections with the UNC2447 cybercrime group, the Lapsus$ group, and the Yanluowang ransomware operators.”
These discrepancies don’t seem to bother eSentire analysts in the least: