Cisco Investigating Data Breach Following Stolen Data For Sale On Hacking Forum

A notorious Threat Actor known by the alias IntelBroker has claimed responsibility for a recent breach of Cisco, allegedly stealing sensitive information from the company. Cisco, a major player in networking technology, is currently investigating the incident.

IntelBroker is a Serbian hacking group active since October 2022 and is known for several high-profile cyber attacks targeting organizations such as Europol, Pandabuy, and Apple. The threat actor is linked to over 80 data breaches. They claim to be residing in Russia for security reasons.

Earlier this week, IntelBroker announced the Cisco breach in a post on BreachForums, a well-known online marketplace for stolen data. The post stated, "Today, I am selling the Cisco breach that recently happened (6/10/2024). Breached by IntelBroker, EnergyWeaponUser, and zjj."

According to the post, the compromised data includes a range of confidential materials, such as GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, certificates, customer source code repositories (SRCs), internal documents, Jira tickets, API tokens, AWS private buckets, Cisco Technology SRCs, Docker builds, Azure Storage buckets, private and public keys, and SSL certificates.

IntelBroker provided a small sample of the data as evidence of the breach but did not disclose how the attack was carried out.

Cisco is aware of the claims and confirmed it is investigating the incident. "Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files," a company spokesperson said. "We have launched an investigation to assess this claim, and our investigation is ongoing."

Background

IntelBroker's hacking activities began in October 2022, initially targeting smaller organizations. However, they gained significant attention in 2023 after hacking the food delivery service "Weee!". Early speculation suggested that IntelBroker was a skilled hacking group, possibly an Iranian Persistent Threat Group. However, an interview with The Cyber Express revealed that they operate alone. During the interview, IntelBroker disclosed personal details, including their Serbian nationality and current residence in Russia.

IntelBroker is also associated with the notorious hacking group "CyberNiggers" and, as of August 2024, took ownership of the cybercrime forum BreachForums. By June 2024, IntelBroker had reportedly posted more than 80 leaks and data sales on BreachForums, claiming to have sold data from over 400 organizations.

Tactics

The hacker employs a variety of methods to gain unauthorized access to secure systems, including exploiting leaked credentials and vulnerabilities in public-facing applications. Once inside, they typically remain in the network for an extended period, escalating their privileges and exfiltrating data. This stolen information is then ransomed, sold, or leaked, often on BreachForums.

Endurance Ransomware

IntelBroker created a ransomware variant called "Endurance," written in C#, which was made publicly available on their GitHub page. While classified as ransomware, the software actually overwrites and deletes targeted files. The U.S. Department of Defense Cyber Crime Center confirmed that IntelBroker used Endurance in attacks on multiple U.S. government agencies, noting similarities to the Shamoon wiper malware linked to Iranian hackers, which IntelBroker has denied.

Notable Cyber Attacks

Acuity

In April 2024, IntelBroker, along with fellow hacker Sanggiero, breached Acuity, a U.S. government technology contractor, gaining access to sensitive information related to the Five Eyes intelligence alliance and the U.S. military. The data, primarily stored in an Acuity GitHub repository, included communications between Five Eyes members and contact information for U.S. officials. Acuity later stated that the leaked information was outdated and non-sensitive.

Pandabuy

On March 31, 2024, IntelBroker assisted Sanggiero in hacking the Chinese e-commerce platform Pandabuy. The stolen user data was sold on BreachForums for a symbolic payment in Bitcoin. Before the leak, Pandabuy reportedly paid a ransom, but the data was still released. The breach allegedly involved details for over 3 million customers, although an analysis by Have I Been Pwned? found that only around 1.3 million entries were legitimate. Pandabuy's attempts to censor discussions about the leak on social media were met with backlash, and a "10% freight subsidy" offered as compensation was also poorly received. In June 2024, Sanggiero attempted to sell 17 million user records from the breach for $40,000 after another ransom demand was rejected.

Europol

On May 10, 2024, IntelBroker claimed to have accessed 9,128 confidential records from Europol, including employee data, source code, and documents. The records were sourced mainly from the Europol Platform for Experts and the SIRIUS program. Europol confirmed the leak but stated that it did not contain any operational information. The stolen data was later sold for cryptocurrency.

Apple

In June 2024, IntelBroker claimed to have obtained source code for several internal Apple tools and released the code on BreachForums. The tools were used for internal processes like user authentication and information sharing within Apple’s network. Further analysis found that the leaked data consisted of plugins for internal tools rather than actual source code, but still posed a potential security risk.

AMD

On June 17, 2024, IntelBroker announced the breach of semiconductor company AMD, offering compromised data for sale. The samples included details about future products, employee and customer information, source code, and financial records. Although AMD downplayed the breach, stating it was limited in scope and posed no business threat, the attack coincided with a 2.4% drop in the company's stock.