Sensitive credentials from Cisco’s internal network and domain infrastructure were reportedly made public due to a significant data breach.
According to a Cyber Press Research report, the new Kraken ransomware group has allegedly leaked a dataset on their dark web blog, which appears to be a dump of hashed passwords from a Windows Active Directory environment.
The exposed dataset includes domain user accounts, unique identifiers (Relative Identifiers or RIDs), and NTLM password hashes.
Security researchers believe the data was extracted using credential-dumping tools such as Mimikatz, pwdump, or hashdump.
The compromised data includes usernames, security identifiers, and encrypted password hashes linked to the tech giant’s corporate infrastructure.
The exposed accounts include privileged administrator accounts (e.g., Administrator:500), regular user accounts (e.g., cisco.com\carriep), service and machine accounts associated with domain controllers (e.g., ADC-SYD-P-1$, ADC-RTP-P-2$), and the Kerberos Ticket Granting Ticket (krbtgt) account, which could allow attackers to forge authentication tokens.
The format of the leaked credentials suggests they were obtained through a credential-dumping technique, possibly using tools like Mimikatz or hashdump, which are often employed by advanced persistent threat (APT) groups or cybercriminals.
Each entry in the dataset follows a structured format:
- Username and Domain – Identifies the user and associated Active Directory domain.
- Relative Identifier (RID) – A unique identifier assigned to user accounts.
- LM Hash – Typically disabled, represented as aad3b435b51404eeaad3b435b51404ee when inactive.
- NTLM Hash – A hashed representation of passwords that could be cracked using brute force or dictionary attacks.
The exposure of NTLM hashes poses a significant risk, as attackers could decrypt these credentials to gain unauthorized access to Cisco’s systems.
If privileged account credentials are compromised, attackers could escalate privileges, access critical network resources, and deploy ransomware or other malicious payloads.
The inclusion of domain controller (DC) accounts suggests that attackers may have gained deep network access, allowing for potential lateral movement within the corporate infrastructure.
Cybersecurity experts warn that this could enable further privilege escalation using techniques such as Kerberoasting or Pass-the-Hash attacks.
Additionally, adversaries could establish persistent access through Golden Ticket or Silver Ticket attacks, leading to the exfiltration of sensitive corporate and customer data.
Threat Actor Involvement
Accompanying the leaked dataset is a threatening message from the attackers, indicating that they may have maintained a presence within Cisco’s network for an extended period.
The message suggests a potential intent to return, hinting at an organized cybercrime group or even a nation-state actor.
While Cisco has yet to confirm the breach officially, security professionals urge immediate countermeasures, including:
- Forced password resets for affected users and service accounts.
- Disabling NTLM authentication where possible to reduce credential reuse risks.
- Deploying multi-factor authentication (MFA) to mitigate the impact of credential compromises.
- Investigating access logs for unauthorized activity and privilege escalation attempts.
- Enhancing monitoring to detect further attempts at unauthorized access.
This breach highlights the increasing prevalence of credential-based cyberattacks and the urgent need for robust security defenses.
Organizations must remain vigilant against similar threats by enforcing strong authentication policies, monitoring network activity, and implementing proactive cybersecurity measures.
As the investigation continues, cybersecurity experts emphasize the importance of rapid incident response to prevent further damage and safeguard sensitive corporate information from further exploitation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
