Cisco Data Breach - Leaks Active Directory Credentials

Overview

On 10th February 2025, the Kraken ransomware group claimed responsibility for a data breach involving Cisco Systems. They alleged that they had infiltrated Cisco's internal network and exfiltrated sensitive credentials from the company's Windows Active Directory (AD) environment. The leaked data included usernames, security identifiers (SIDs), and NTLM password hashes. Cisco has refuted these claims, asserting that the data in question originates from a previously addressed incident in May 2022.

What Happened?

The Kraken ransomware group published a dataset on their dark web blog, which reportedly comprises:

• Usernames and Domains - Identifying individual users and their associated AD domains.

• Relative Identifiers (RIDs) - Unique identifiers assigned to user accounts within the AD environment.

• NTLM Password Hashes - Hashed representations of user passwords.

The structure of the leaked data suggests extraction via credential-dumping tools such as Mimikatz, pwdump, or hashdump. These tools are commonly used to harvest credentials from system memory or the Security Account Manager (SAM) database.

Breach Analysis

Credential Dumping Techniques

Credential dumping involves extracting authentication credentials from operating systems. Tools like Mimikatz can access the Local Security Authority Subsystem Service (LSASS) memory to retrieve plaintext passwords, hashes, and Kerberos tickets. In this case, the attackers likely used such tools to obtain NTLM hashes from Cisco's AD environment.

NTLM Hashes

NTLM (NT LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. Despite being outdated, NTLM remains in use for backward compatibility. The exposure of NTLM password hashes is concerning due to the following exploitation methods:

• Pash The Hash Attacks - Attackers use the captured hash to authenticate as a user without knowing the actual plaintext password.

• Dictionary Attacks - Attackers attempt to crack the hashes to retrieve plaintext passwords, especially if weak passwords are used.

The presence of privileged accounts, such as the Administrator:500 account and the krbtgt account (responsible for Kerberos ticket-granting), in the leaked data poses significant risks. Compromise of these accounts could allow attackers to forge authentication tickets or escalate privileges within the network.

Potential Impact

If the leaked credentials are still valid, the attackers could:

• Escalate Privileges - Gain administrative access to critical systems.

• Lateral Movement - Navigate through the network to access additional resources.

• Data Exfiltration - Extract sensitive corporate or customer data.

• Deploy Ransomware - Encrypt data to disrupt operations and demand ransom.

The inclusion of domain controller accounts in the leak indicates that the attackers may have had deep network access, potentially compromising the integrity of the entire AD infrastructure.

Cisco's Response

Cisco has acknowledged the reports but clarified that the data is related to a security incident from May 2022, which was fully addressed at that time. The company stated that there was no impact on customers and emphasized that the incident has been resolved.

Recommendations

Regardless of the data's origin, organizations should implement the following measures to mitigate similar risks:

1. Enforce Password Resets - Mandate immediate password changes for all potentially affected accounts.

2. Disable NTLM Authentication - Where possible, transition to more secure authentication protocols like Kerberos.

3. Implement Multi-Factor Authentication (MFA) - Add an extra layer of security to prevent unauthorized access.

4. Monitor Access Logs - Regularly review logs for unusual or unauthorized activities.

5. Conduct Security Audits - Perform periodic assessments to identify and remediate vulnerabilities.

Conclusion

This breach underscores the persistent threats organizations face from sophisticated cyber adversaries. Even if the leaked data is from a previously addressed incident, its resurfacing highlights the importance of continuous vigilance, robust security measures, and proactive incident response strategies to protect sensitive information and maintain client’s trust.