Using a combination of attacks Ciscos network was compromised by ga group that they beve has ties to by UNC2447, Lapsus$ and Yanluowang.

“During the investigation, it was determined that a Cisco employee’s credentials were compromised after an attacker gained control of a personal Google account where credentials saved in the victim’s browser were being synchronized,
The attacker conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker. The attacker ultimately succeeded in achieving an MFA push acceptance, granting them access to VPN in the context of the targeted user. "

Whoever that employee is, I hope they have learned to stop clicking links. You can't get an antivirus app for social engineering.

According to the post, they were able to mitigate the damage prior to a full-blown ransomware attack, and they do not believe any critical data was exposed.

The post at Talos goes on to explain how it happened, what attempts were made and code used to gain access, and that Cisco has created Clam antivirus definitions for the security community to use, which was rather nice of them.


Read more @ blog.talosintelligence.com