Initial reports of a potential Cisco breach surfaced when a hacker known as IntelBroker claimed on a hacking forum to have obtained sensitive Cisco data, including source code, hardcoded credentials, and internal documents. IntelBroker alleged that they had exploited an API token to gain access to Cisco’s internal systems and exfiltrated this data for sale.
Cisco Systems Allegedly Exfiltrated by Hacker using exploited API Token
Misconfigured public facing DevHub platform led to the breach, resulting in stolen data being put up for sale.
What is the attack?
Cisco later confirmed that the breach stemmed from a misconfiguration in its public-facing DevHub platform, which inadvertently exposed certain files not intended for public access. These files included sensitive information downloaded by the attacker. However, Cisco stated that there is no evidence to suggest deeper access into its internal systems or core infrastructure.
Why did it get through?
Misconfiguration in Public-Facing Environment: The breach stemmed from improper access control in the public-facing DevHub platform, which inadvertently exposed sensitive files not intended for public access.
Exploitation of Legitimate Credentials (API Token): The attacker leveraged a valid API token to gain unauthorized access.
What is required to solve for this attack?
Behavioral Monitoring: Implement tools to detect unusual API usage, such as bulk downloads, abnormal access patterns, or activity from untrusted locations.
Proactive Configuration Hygiene: Use automated tools to identify and fix misconfigurations in public-facing systems, ensuring proper access controls are in place.
Secrets Management: Store API keys securely in vaults, enforce strict permissions, and use short-lived or dynamically generated tokens to minimize the impact of exposure.