EXECUTIVE SUMMARY:
An recent cyberattack on Cisco revealed a multi-stage intrusion conducted by a threat actor linked to known cybercrime groups. The compromise began when a Cisco employee’s personal Google account was breached, allowing attackers to obtain corporate credentials synced via a web browser. Using social engineering and MFA fatigue techniques, the adversary tricked the victim into approving unauthorized VPN access. Once inside, the attacker deployed various persistence mechanisms and remote-access tools to expand control. Despite these efforts, Cisco’s internal security team successfully contained the intrusion, and no evidence indicated compromise of core business or product development systems.
The attacker employed a combination of credential theft, social engineering, and privilege escalation to infiltrate Cisco’s internal network. Initial access was followed by the installation of tools like Cobalt Strike, Mimikatz, PowerSploit, and TeamViewer to enable lateral movement and data exfiltration. The adversary leveraged built-in Windows utilities for reconnaissance and domain enumeration, targeting Active Directory and attempting NTDS and SAM database dumps. They also used RDP and Citrix for internal movement and frequently cleared logs using wevtutil exe to hide traces. Observations of manual command errors suggested human-operated activity rather than automated scripts.
Cisco’s rapid detection and incident response prevented further escalation and neutralized the attacker’s presence. The threat actor demonstrated persistence, attempting to regain access multiple times post-eradication but failed. The activity was attributed to a known initial access broker linked with ransomware groups known for data theft and extortion operations. The incident underscores the critical need for enforcing stronger MFA policies, limiting credential syncing across personal and enterprise devices, and enhancing employee awareness of vishing and MFA fatigue tactics. Overall, the case highlights the evolving sophistication of social engineering-driven malicious campaigns targeting enterprise environments.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1595 | Active Scanning | — |
| Resources Development | T1583 | Acquire Infrastructure | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1098 | Account Manipulation | — |
| Privileged Escalation | T1548 | Abuse Elevation Control Mechanism | — |
| Defence Evasion | T1070.001 | Indicator Removal | Clear Windows Event Logs |
| Credential access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1087.002 | Account Discovery | Domain Account |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol (RDP) |
| Collection | T1005 | Data from Local System | — |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over Command and Control Channel | — |
| Impact | T1486 | Data Encrypted for Impact | — |
REFERENCES:
The following reports contain further technical details: