Cisco Data Breach – Ransomware Group Allegedly Breached Internal Network & Leaked AD Credentials

A massive security breach has allegedly exposed sensitive credentials from Cisco’s internal network and domain infrastructure.

The Cyber Press Team has observed leaked data from the Kraken ransomware group posted on their dark web blog, which appears to be a dump of hashed passwords from a Windows Active Directory environment.

The leaked data includes a list of domain user accounts, unique identifiers (Relative Identifiers or RIDs), and NTLM password hashes.

The dump format suggests that the information may have been extracted using credential-dumping tools such as Mimikatz, pwdump, or hashdump.

Among the compromised accounts are:

• Privileged administrator accounts (e.g., Administrator:500)
• Regular user accounts (e.g., cisco.com\carriep)
• Service and machine accounts associated with domain controllers (e.g., ADC-SYD-P-1$, ADC-RTP-P-2$)
• The Kerberos Ticket Granting Ticket account (krbtgt), which, if compromised, could allow attackers to create forged authentication tokens.

Technical Breakdown of the Leak

Each entry in the dataset follows a distinct structure:

1. Username and Domain – Identifies the user and associated Windows Active Directory domain.
2. Relative Identifier (RID) – A unique identifier assigned to user accounts.
3. LM Hash (usually disabled) – Represented as aad3b435b51404eeaad3b435b51404ee when not in use.
4. NTLM Hash – A hashed representation of the user’s password, which could be cracked using brute force or dictionary attacks.

The exposure of NTLM hashes means that malicious actors could attempt to crack the passwords and gain unauthorized access to Cisco’s systems.

If attackers successfully decrypt privileged account credentials, they could escalate privileges, access critical network resources, and potentially deploy ransomware or other malicious payloads.

The presence of domain controller (DC) accounts in the dump indicates that attackers may have gained deep network access, potentially enabling lateral movement across the corporate infrastructure.

This could lead to privilege escalation through techniques such as Kerberoasting or Pass-the-Hash attacks.

Additionally, attackers might establish persistent access using methods like Golden Ticket or Silver Ticket attacks, ultimately facilitating the exfiltration of sensitive corporate and customer data.

Threat Actor Involvement

The leaked dataset is accompanied by a threatening message, indicating that the attackers may have been in Cisco’s network for an extended period.

The wording suggests an intent to return and inflict further damage, pointing to a potentially organized cybercrime group or nation-state actor.

While Cisco has not yet officially confirmed the breach, we recommend immediate countermeasures, including:

• Forced password resets for affected users and service accounts.
• Disabling NTLM authentication where possible to reduce the risk of credential reuse.
• Deploying multi-factor authentication (MFA) to mitigate credential compromise risks.
• Investigating access logs for any unauthorized activity or privilege escalation attempts.
• Implementing enhanced monitoring to detect further attempts at unauthorized access.

This incident underscores the growing threat of credential-based cyberattacks and the importance of robust security measures.

Organizations are urged to stay vigilant against similar threats by implementing strong authentication policies and continuously monitoring their network environments.

Find this Story Interesting! Follow us on LinkedIn, and to Get More Instant Updates