Employee’s compromised Google credentials led to Cisco breach
Cisco shared on its website Wednesday that it identified a security incident targeting its corporate IT infrastructure on May 24, saying it took immediate action to remediate the impact and has since hardened its IT environment.
Also on Wednesday on its security blog on Cisco Talos, the company’s security team said an employee’s credentials were compromised after an attacker gained control of a Google account where credentials saved in the victim’s browser were synched.
Using a series of sophisticated voice phishing attacks, the victim eventually accepted multi-factor authentication (MFA) push notifications made by the attacker, which granted access to the VPN of the victim. The security team posted that the attacker did not gain access to critical systems, but tried to give themselves the ability to maintain and increase their access to systems before being successfully removed. The attacker has been observed repeatedly trying to regain access in the weeks following the attack, but were unsuccessful.