Cisco Hacked – Ransomware Group Allegedly Breach Internal Network & Gained AD Access

Cisco has reportedly fallen victim to a significant data breach, with sensitive credentials from its internal network and domain infrastructure leaked online.

The breach is allegedly linked to the Kraken ransomware group, which has published a dataset on its dark web blog.

The attackers reportedly left a threatening message alongside the leaked data, suggesting they may have maintained long-term access to Cisco’s network.

According to a Cyber Press Research report, This dataset includes usernames, security identifiers (SIDs), and NTLM password hashes, posing severe security risks to the tech giant’s corporate environment.

The leaked data appears to have been extracted from Cisco’s Windows Active Directory environment using credential-dumping tools like Mimikatz, pwdump, or hashdump.

These tools are commonly employed by cybercriminals and advanced persistent threat (APT) groups to harvest credentials stored in the Local Security Authority Subsystem Service (LSASS) memory or other system components. The dataset follows a structured format:

• Username and Domain: Identifies users and their associated domains.
• Relative Identifier (RID): A unique identifier for user accounts.
• NTLM Hash: A hashed representation of passwords that can be cracked via brute force or dictionary attacks.

The compromised accounts include privileged administrator(e.g., Administrator:500) accounts (e.g., “Administrator:500”), regular user accounts, service and machine accounts(e.g., ADC-SYD-P-1$, ADC-RTP-P-2$) tied to domain controllers, and the Kerberos Ticket Granting Ticket (krbtgt) account.

The exposure of NTLM hashes is particularly concerning, as attackers could use them for unauthorized access and privilege escalation through techniques such as Pass-the-Hash or Kerberoasting.

Potential Impact

The breach could allow attackers to:

• Escalate privileges within Cisco’s network.
• Deploy ransomware or other malicious payloads.
• Move laterally across systems and establish persistent access through methods like Golden Ticket or Silver Ticket attacks.
• Exfiltrate sensitive corporate and customer data.

The inclusion of domain controller credentials in the leaked dataset indicates that attackers may have achieved deep network access, enabling further exploitation of Cisco’s infrastructure.

This points to the involvement of an organized cybercrime group or potentially a nation-state actor. While Cisco has not officially confirmed this specific breach, similar incidents in the past have involved sophisticated tactics such as social engineering, MFA fatigue attacks, and credential harvesting.

Mitigation Measures

To address this type of breach, cybersecurity experts recommend:

1. Forced Password Resets: For all affected user and service accounts.
2. Disable NTLM Authentication: Where feasible, to reduce credential reuse risks.
3. Implement Multi-Factor Authentication (MFA): To mitigate the impact of compromised credentials.
4. Monitor Access Logs: To detect unauthorized activity and privilege escalation attempts.
5. Enhance Network Monitoring: To identify further unauthorized access attempts.

This breach highlights the growing prevalence of credential-based cyberattacks and underscores the importance of robust security measures.

Tools like Mimikatz remain popular among attackers for credential dumping due to their ability to extract sensitive information from memory or registry files. Organizations must remain vigilant by adopting proactive defenses such as endpoint detection and response (EDR), strong password policies, and regular audits of authentication systems.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates