Follow on X RSS Feed
News

IntelBroker Targets Cisco in High-Impact Data Breach

Cybersec Sentinel

4 min read
IntelBroker Targets Cisco in High-Impact Data Breach

Threat Group: IntelBroker
Threat Type: Data Breach, Espionage
Exploited Vulnerabilities: Third-party DevOps provider involvement, hard-coded credentials, API tokens
Malware Used: N/A
Threat Score: High (9.0/10) — Significant exposure of source code, credentials, and customer data
Last Threat Observation: October 6, 2024

Overview

IntelBroker, in collaboration with EnergyWeaponUser and Zjj, orchestrated a significant breach of Cisco’s internal systems on October 6, 2024, resulting in the theft of extensive sensitive data. This breach, affecting some of Cisco's largest customers like Microsoft, Barclays, SAP, and T-Mobile, exposed critical developer resources such as source code, hardcoded credentials, SSL certificates, API tokens, AWS and Azure storage buckets, and confidential documents.

The hacker group IntelBroker has gained notoriety in 2024 for similar attacks, targeting organizations including T-Mobile, AMD, and Apple. In this attack, IntelBroker announced the breach on BreachForums, where they shared samples of the stolen data. Cisco, acknowledging the attack, launched an immediate investigation and warned affected clients to remain vigilant. The breach, leveraging vulnerabilities in third-party DevOps providers, raises major concerns over data security, particularly for organizations dependent on such services for development and cloud infrastructure.

Key Details

  • Delivery Method: Exploitation of vulnerabilities in third-party DevOps providers
  • Target: Cisco internal systems and sensitive customer data from high-profile companies including Microsoft, Barclays, SAP, T-Mobile, AT&T, and Verizon
  • Functions:
    1. Theft of sensitive data from GitHub, GitLab, and SonarQube repositories, including source code and certificates
    2. Compromise of hardcoded credentials, SSL certificates, and API tokens, posing risks of impersonation and unauthorized access
    3. Exposure of confidential documents and customer data, such as management portal screenshots, highlighting the attack's depth
    4. Leaked developer data, including critical assets for Microsoft and Barclays, posing potential long-term risks to these organizations

IntelBroker’s post on BreachForums detailed the breadth of the compromised data, including developer source code, Jira tickets, customer information, and SSL certificates. Screenshots of Cisco customer management portals were leaked to verify the authenticity of the data, with additional technical documents and customer records being shared.

Breach Impact and Risks

The potential fallout from this breach is enormous, not only for Cisco but for its affected customers. Exposed source code and API tokens could allow malicious actors to exploit vulnerabilities within customer environments or carry out attacks on other cloud services, particularly AWS and Azure. The compromised SSL certificates and hardcoded credentials raise concerns about man-in-the-middle attacks and impersonation, further exacerbating the situation for Cisco's clients.

IntelBroker’s attack is part of a broader pattern of breaches that have occurred in 2024. The group was responsible for leaking or selling data from several high-profile organizations earlier in the year, including T-Mobile, AMD, and Apple. The similarities between these incidents suggest that IntelBroker has become adept at exploiting vulnerabilities in cloud and DevOps environments, leveraging third-party service providers to gain access to sensitive corporate infrastructure. While the exact method used in this attack remains unclear, it follows a familiar pattern of exploiting weaknesses in the supply chain​

Attack Vectors

IntelBroker exploited vulnerabilities within Cisco’s third-party DevOps providers, using this foothold to move laterally and exfiltrate sensitive data. The stolen data includes source code, credentials, and confidential customer information, which raises concerns about Cisco’s ability to secure both its internal systems and those of its clients. The attack highlights the ongoing risks associated with using third-party vendors for critical services such as cloud infrastructure, development environments, and storage management.

This breach also calls attention to the heightened threat landscape in which major enterprises must operate. The reliance on third-party services to manage developer environments and cloud storage has exposed organizations to risks that go beyond their direct control. In this instance, Cisco’s internal security measures were bypassed through vulnerabilities in the systems of third-party providers. IntelBroker’s ability to access such sensitive information underscores the need for tighter controls on how external vendors handle corporate data.

Indicators of Compromise (IoCs)

URLs:

  • http[:]//h44jyyfomcbnnw5dha7zgwgkvpzbzbdyx2onu4fxaa5smxrgbjgq7had.onion/

Domains

  • olx.id7423[.]ru
  • boxberry.id7423[.]ru
  • avito-rent.id7423[.]ru
  • 3inf[.]site

File Hashes:

SHA256:

  • 600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a

SHA1:

  • 8a3ca9efa2631435016a4f38ff153e52c647146e
  • 285e0573ef667c6fb7aeb1608ba1af9e2c86b452
  • 26727d5fceef79de2401ca0c9b2974cd99226dcb

MD5:

  • dc7cb3bfdc236c41f1c4bbac911daaa2

Mitigation and Prevention

  • User Awareness: Cisco has advised customers to immediately revoke compromised credentials and monitor for unusual activity within their systems.
  • Patch Management: Ensure all third-party tools are patched to protect against vulnerabilities, particularly those managing cloud services.
  • Access Control: Strengthen access controls and implement role-based permissions to limit exposure of sensitive developer data.
  • SSL and API Token Management: Replace compromised SSL certificates and API tokens to prevent impersonation attacks or unauthorized access to critical systems.
  • Third-Party Audits: Conduct regular security audits on all third-party vendors, focusing on how they handle sensitive data and protect against unauthorized access.

Conclusion

The IntelBroker breach of Cisco is a significant event in the broader context of cybersecurity incidents affecting cloud and DevOps environments. The exposure of source code, API tokens, and customer data from companies such as Microsoft and SAP underscores the critical risks posed by third-party vendors. As organizations increasingly rely on external services to manage their most sensitive data, the importance of securing these relationships cannot be overstated.

Cisco’s response to the breach—along with the actions of its affected customers—will be closely watched in the coming weeks. In the meantime, organizations should take proactive steps to secure their environments, audit third-party services, and ensure that data handling practices are up to the highest standards.

Sources: