Cisco refutes Kraken ransomware group’s data breach claims

Cisco has denied allegations of a recent data breach following claims by the Kraken ransomware group that it had published sensitive internal data on its dark web leak site. The cybercriminal group asserted that the exposed dataset contained critical credentials from Cisco’s Windows Active Directory environment, raising concerns about potential security threats. However, the technology giant has clarified that the exposed information originates from an older security incident that was fully addressed in 2022.

According to reports from Cyber Press, the leaked dataset allegedly includes usernames, associated domains, unique relative identifiers (RIDs), and NTLM-hashed passwords. The compromised accounts are said to encompass privileged administrator credentials, standard user accounts, service and machine accounts linked to domain controllers, and even the Kerberos Ticket Granting Ticket (krbtgt) account. The presence of such credentials, if valid, could potentially enable attackers to escalate privileges and move laterally within a network.

Security analysts suspect that the attackers employed credential-dumping tools such as Mimikatz, pwdump, or hashdump to extract the information. These tools are widely used by both cybercriminals and advanced persistent threat (APT) groups to obtain credentials stored in system memory. Additionally, the ransomware group left a warning message alongside the leaked data, hinting at future cyberattacks. “You lied to us and play for time to kick us out. We will meet you soon, again. Next time you’ll have no chance,” the message stated.

In response, Cisco issued an official statement dismissing the claims of a new breach. The company clarified that the exposed credentials were remnants of a previously disclosed security incident from May 2022. “Cisco is aware of certain reports regarding a security incident. The incident referenced in the reports occurred back in May 2022, and we fully addressed it at that time. Based on our investigation, there was no impact to our customers,” the company stated.

The 2022 breach, as reported by Hackread.com, involved attackers gaining control of a Cisco employee’s personal Google account that stored company credentials. The threat actors then used advanced voice phishing (vishing) techniques to bypass multi-factor authentication (MFA) and infiltrate Cisco’s virtual private network (VPN). Although the attackers repeatedly attempted to regain access after being removed, Cisco’s security teams—CSRIT and Talos—found no evidence of them compromising critical internal systems, including the production environment and code signing infrastructure.

At the time, Cisco attributed the attack to an initial access broker (IAB) associated with UNC2447, a group linked to the FiveHands malware, Lapsus$, and the Yanluowang ransomware operation. The latest claims by the Kraken ransomware group suggest a re-emergence of credentials from this past breach, highlighting the persistent threat posed by credential-based cyberattacks.