Cisco Breach

NHI Mgmt Group

Overview

In October 2024, Cisco experienced a significant cybersecurity breach related to Non-Human Identities (NHIs). The threat actor ‘IntelBroker’ exploited exposed credentials, API tokens, and keys located in DevHub, Cisco’s public development environment. This platform used to support third-party developers building applications for Cisco devices. Accidentally this platform contained sensitive information which gave the attacker unauthorized access to Cisco’s internal system and customer data.

Incident Analysis

Root Causes

  • Secrets Mismanagement: leaving secrets exposed without rotating them or even any access controls measures.

  • Improper Storage: Storing secrets improperly in publicly accessible place.

Attack Vector

Initial Access

The attacker discovered secrets such as API keys, tokens, hard-coded credentials on DevHub. These secrets were publicly available which allowed the attacker to access Cisco’s system.

Lateral Movement

The attacker used overprivileged credentials that he found to move laterally and expand in Cisco’s network.

Data Exfiltration

The attacker after expanding in the system, he exfiltrated sensitive data and listed it for sale on underground forums, targeting entities that could misuse this information.

Impact

  • Data Exposure: Internal Data and customer information were compromised, posing risks to both Cisco and its clients.

  • Reputation Damage: Cisco faced scrutiny over its security practices, particularly its governance of NHIs and its ability to secure customer’s data.

Recommendations

Enhanced Secrets Management

  • Use secure vaults for storing secrets.

  • Automate secrets rotation and enforce short expiry date.

  • Use fine-grained access tokens to take control of the permissions.

Training and Awareness

  • Educate teams on secure code practices and NHI management.

Adopt Least Privilege Principles

  • Ensure all NHIs has the necessary privileges only to avoid unauthorized overprivileged access.

Real-Time Monitoring

  • Deploy real-time monitoring and detection tools to monitor and detect any abnormal activity.

Conclusion

This incident is a reminder of the growing threat posed by mismanaged non-human identities. It highlights the need for comprehensive security strategies, robust governance policies, and advanced monitoring tools to mitigate risks associated with NHIs. By fixing these vulnerabilities, Cisco and other organizations can improve their cybersecurity defences and reduce any risks in the future.

The Stolen Data on Underground Forum - Source Oasis Security

About Contact Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is a community focussed solely on helping solve the huge industry challenge around helping organisations manage and secure Non-Human / Machine Identity Risks

Subscribe to our Newsletter

Subscribe

© 2024