Excerpt from Hack Read Article, Published on Feb 11, 2025.
Cisco has denied claims made by the Kraken ransomware group regarding a recent data breach, asserting that the credentials leaked by Kraken originate from a past security incident. The Kraken ransomware group published what it claimed to be sensitive data stolen from Cisco’s internal network, including usernames, domains, NTLM password hashes, and privileged administrator accounts. However, Cisco has clarified that this data is from a previously disclosed breach in May 2022, which was fully mitigated and did not impact its customers.
The Kraken ransomware group alleges that the leaked dataset was obtained using credential-dumping tools such as Mimikatz, pwdump, or hashdump—widely used by cybercriminals to extract credentials from system memory. Alongside the leak, the attackers posted a threatening message indicating their intent to target Cisco again. The message read, “You lied to us and played for time to kick us out. We will meet you soon, again. Next time you’ll have no chance.” Despite these claims, Cisco has firmly denied that a new security breach has occurred. The company reaffirmed that the Kraken group is recycling stolen data from the 2022 incident. That breach occurred when attackers gained access through a compromised Google account belonging to a Cisco employee. However, Cisco security teams, including CSRIT and Talos, swiftly responded, removed the intruder, and found no evidence of unauthorized access to critical internal systems.
At the time, Cisco linked the attack to an initial access broker associated with UNC2447, a group known for deploying FiveHands malware, along with affiliations to the Lapsus$ collective and the Yanluowang ransomware operation. The reappearance of this data by Kraken highlights the growing threat of credential-based cyberattacks. Cisco’s response underscores the importance of proactive cybersecurity measures. Organizations should enforce strict password policies, disable NTLM authentication, strengthen MFA protocols, and enhance network monitoring to detect and mitigate intrusion attempts. While Kraken attempts to revive past incidents, Cisco remains steadfast in protecting its systems and customers.
To delve deeper into this topic, please read the full article Hack Read.
