Cisco Details
Cisco
San Jose, California • 83300 employees • Telecom hardware manufacturing
Industry
Telecom hardware manufacturing
Security Incidents
4
Cisco Systems, Inc. is a leading technology company headquartered in San Jose, California, primarily known for its networking hardware, software, and telecommunications equipment. Founded in 1984 by Leonard Bosack and Sandy Lerner, Cisco played a pivotal role in the development of the Internet with its development of IP-based networking technologies, which form the foundation of the modern internet. Today, Cisco continues to innovate in areas such as cybersecurity, Internet of Things (IoT), and cloud computing, catering to a wide range of businesses and governmental entities around the world.
Security Incidents
Cisco Breach of May 2022
Show more
Show more
Show more
Severity Score
Moderate to Significant
Type
UnknownSummary
Cisco experienced a significant cyber incident in late May 2022, involving the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. The breach was initiated when an attacker compromised a Cisco employee's personal Google account, which had corporate credentials saved and synchronized in the browser. The attacker used sophisticated voice phishing tactics to convince the employee to accept multi-factor authentication (MFA) push notifications, eventually gaining access to the corporate VPN. After initial access, the threat actor escalated privileges and execut...Show more
Severity
In late May, Cisco's corporate network was compromised by a coalition of cybercrime entities, including UNC2447, Lapsus$, and Yanluowang ransomware operators. The attack involved sophisticated techniques such as voice phishing (vishing) and MFA fatigue to exploit a Cisco employee’s synchronized browser credentials, ultimately achieving VPN access and escalating privileges across the network. Although the attackers stole 2.75 GB of data, which was later leaked on the Dark Web, Cisco confirmed that no sensitive customer or employee data, intellectual property, or critical services were impacted....Show more
Impact
The incident involved a sophisticated breach by the UNC2447 cybercrime gang, Lapsus$ threat actor group, and Yanluowang ransomware operators. They compromised a Cisco employee's personal Google account and used social engineering techniques such as voice phishing and MFA fatigue attacks to gain unauthorized access to Cisco's corporate network. Despite the attack, Cisco reported that no sensitive customer or employee data, intellectual property, or core services were affected. However, the attackers managed to steal and leak 2.75 GB of data containing 3100 files on the Dark Web, highlighting th...Show more
Cisco Breach of Sep 2024
The malicious code was traced back to a recently registered domain, rextension.net, suggesting the compromise occurred over the preceding weekend. It appears that the attackers exploited the CosmicSting vulnerability (CVE-2024-34102), a critical...
Show more
The attackers exploited a critical security flaw known as the CosmicSting vulnerability (CVE-2024-34102) in the Ado...
Show more
As a result of the breach, Cisco proactively took the affected online stores in the U.S., Europe, and Asia Pacific regions offline for maintenance. The attacke...
Show more
Severity Score
Moderate
Type
Cross-Site Scripting (XSS) AttackSummary
On September 4, 2024, Cisco's online store for company-branded merchandise was taken offline for maintenance after hackers injected malicious JavaScript code into its checkout process. The injected JavaScript targeted sensitive customer information, including credit card details, postal addresses, phone numbers, email addresses, and login credentials.The malicious code was traced back to a recently registered domain, rextension.net, suggesting the compromise occurred over the preceding weekend. It appears that the attackers exploited the CosmicSting vulnerability (CVE-2024-34102), a critical...
Show more
Severity
The incident involving Cisco's online store was a sophisticated data breach, primarily executed through the injection of malicious JavaScript code into the website's checkout process. This breach resulted in the exposure of sensitive customer information including credit card details, postal addresses, phone numbers, email addresses, and login credentials. Given that Cisco employees frequented the store, their credentials were also potentially compromised, magnifying the impact.The attackers exploited a critical security flaw known as the CosmicSting vulnerability (CVE-2024-34102) in the Ado...
Show more
Impact
The incident involving Cisco's online store was identified as a data breach, primarily due to the injection of malicious JavaScript code into the website's checkout process. This breach exposed sensitive customer information, notably credit card details, postal addresses, phone numbers, email addresses, and login credentials. Additionally, since this store was frequented by Cisco employees, their credentials may have also been at risk.As a result of the breach, Cisco proactively took the affected online stores in the U.S., Europe, and Asia Pacific regions offline for maintenance. The attacke...
Show more
Cisco Breach of Oct 2024
Cisco has reported that the breach did not occur via a direct attack on its internal systems. Instead, the data was accessed from a public-facing D...
Show more
W...
Show more
Show more
Severity Score
Moderate to Significant
Type
Data BreachSummary
On October 6, 2024, Cisco experienced a security incident involving unauthorized access to some of its files. The incident came to light after a hacker known as "IntelBroker" began selling data, purportedly sourced from Cisco, on a cybercrime forum. IntelBroker claimed that the breach involved access to sensitive files including GitHub and SonarQube projects, customer information, confidential documents, and various API tokens and encryption keys.Cisco has reported that the breach did not occur via a direct attack on its internal systems. Instead, the data was accessed from a public-facing D...
Show more
Severity
The recent security incident involving Cisco, where threat actor "IntelBroker" claimed to have breached the company's DevHub environment, resulted in the unauthorized exposure of developer data and sensitive information from various major companies such as Microsoft, AT&T, and Verizon. The compromised data included source code, hardcoded credentials, and API tokens, raising concerns about potential future misuse. The breach allegedly occurred via a third-party managed services provider, and despite ongoing investigations, Cisco maintains that its internal systems were not directly breached.W...
Show more
Impact
The recent incident involving Cisco was a data breach where information was accessed and allegedly put up for sale by a hacker known as IntelBroker. The data in question reportedly included sensitive developer data related to GitHub and GitLab projects, source code, API tokens, hardcoded credentials, certificates, and more; it was said to involve major companies including Microsoft, AT&T, Verizon, and T-Mobile. Cisco conducted an investigation and determined that their own systems were not breached; instead, the data was accessed from a publicly accessible DevHub environment designed for suppo...Show more
Cisco Breach of Aug 2024
Velvet Ant initially gained access to the switches with valid adm...
Show more
Show more
Fortunately, there was no widespread evidence of cus...
Show more
Severity Score
High
Type
Corporate BreachSummary
On July 1, 2024, Cisco released an advisory about a command injection vulnerability in its NX-OS software, identified as CVE-2024-20399. This vulnerability, used by a threat group known as Velvet Ant, allows authenticated users with administrator credentials to execute arbitrary commands at the root level on affected Nexus switches. Sygnia Security discovered and reported this exploit, detailing how Velvet Ant compromised the targeted switches by leveraging the limited visibility and logging features intrinsic to these devices.Velvet Ant initially gained access to the switches with valid adm...
Show more
Severity
On July 1, 2024, Cisco reported a command injection vulnerability (CVE-2024-20399) in its NX-OS software, which was actively exploited by the threat group Velvet Ant. The group leveraged administrator credentials to execute commands at the root level on Nexus switches, bypassing usual detection methods due to the limited visibility and logging features of these devices. The complexity of the attack was heightened by Velvet Ant's use of sophisticated malware, VelvetShell, which combined elements of TinyShell and 3proxy for deep system infiltration and persistence, with capabilities for command ...Show more
Impact
The Velvet Ant incident highlights the growing sophistication of cyber threat actors targeting network infrastructure. This was not merely a data breach but an advanced espionage campaign leveraging a CLI command injection vulnerability (CVE-2024-20399) in Cisco's NX-OS software on Nexus switches. Velvet Ant compromised these switches using valid administrator credentials to gain initial access before escalating privileges from the application level to the OS level, allowing them to execute arbitrary commands and remain persistently hidden.Fortunately, there was no widespread evidence of cus...
Show more
KEEP YOUR ENVIRONMENT SECURE
Weak credentials are the leading cause of breaches. Beyond Identity can help.
See MFA exploits in action
Watch how adversaries exploit companies in quick videos