Cisco Investigates Systems Hacking

[Man]

The source and documents of the company ended up in the hands of three hackers at once.

Cisco launched an investigation into a possible data leak after reports appeared on one of the hacker forums about the sale of stolen information to the company. Cisco confirmed the leak to BleepingComputer.

A company spokesperson said Cisco is aware that an unknown person claims to have gained access to certain files of the company. An investigation is currently underway to assess the allegations, but it has not yet been completed.

The report of the hack first came from a well-known threat actor named "IntelBroker," who claims that, along with two other hackers, "EnergyWeaponUser" and "zjj," they hacked Cisco on June 10 and stole a large amount of data related to the company's product development.

Compromised data: Github, Gitlab, SonarQube projects, source code, hardcoded credentials, certificates, client SRCs, Cisco confidential documents, Jira tickets, API tokens, AWS private containers, Cisco technology SRCs, Docker builds, Azure storage containers, private and public keys, SSL certificates, Cisco Premium product information.

Hacker's post about the theft of Cisco data

IntelBroker also posted samples of allegedly stolen data, including databases, customer information, and screenshots of customer management portals. At the same time, the attacker did not specify how he managed to gain access to the data.

According to sources familiar with the incident, the information was stolen from a third-party provider of managed services for DevOps and software development. At the moment, there is no exact data on whether the penetration of Cisco is related to previous June incidents, including T-Mobile, AMD and Apple. BleepingComputer has reached out to this vendor to confirm a possible cyberattack, but so far there has been no response from the company.

Source

 

[Man]

Traitor's API: One Key Opened the Door to Cisco Systems

Why does the company close the developer portal if "there was no hacking"?

Cisco temporarily shut down the DevHub public portal after leaking "sensitive" data, but insists that no traces of hacking of internal systems have been found.

The company explained that the leaked data was located in the DevHub, an open Cisco resource center designed to publish program code, scripts, and other materials for customers. During the investigation, it was established that several files were in the public domain, the publication of which was not authorized.

Cisco claims that there are no signs of a leak of personal or financial information at this stage, but the investigation is ongoing to clarify exactly how much data was compromised.

The leak came after an Intel Broker hacker claimed that Cisco had been hacked when he put stolen data and source code up for sale. The cybercriminal claims to have gained access to Cisco's third-party developer environment through a compromised API token.

During the investigation, Cisco did not recognize the incident as a hack, which displeased IntelBroker. In response, the hacker provided BleepingComputer with screenshots confirming access to the company's environment. Materials that included source code, configuration files with database credentials, technical documentation, and SQL files were also submitted to Cisco for review.

At the moment, it is unknown if any customer data was stored on the DevHub servers. None of these recordings have been uploaded to BleepingComputer.

IntelBroker claims to have retained access to the DevHub and the associated JFrog environment until today, when Cisco blocked access to all vulnerable resources. The hacker also reported the loss of access to Maven and Docker servers associated with the portal, but did not provide evidence.

When asked about a possible attempt to extort data, IntelBroker said that he did not try to blackmail Cisco, as he did not expect trust in such agreements. According to him, "you cannot trust the threats of hackers, so you should not expect this from companies either". Cisco is expected to provide additional comments on this incident at a later date.