Cisco recently had to take action in response to a security incident where threat actors were able to access customer data from one of its DevHub environments and put it up for sale on a cybercrime forum. The compromised data contained valuable information such as source code, API tokens, hardcoded credentials, certificates, and other secrets belonging to major companies like Microsoft, Verizon, T-Mobile, AT&T, Barclays, and SAP.

The breach was first detected when researchers observed three threat actors with the aliases IntelBroker, EnergyWeaponUser, and zjj offering the stolen data for sale on BreachForums. IntelBroker, in particular, is a known Serbian entity with a history of involvement in significant data heists, including breaches at Europol, General Electric, and DARPA.

Upon learning of the incident, Cisco initiated an investigation and confirmed the security breach a few days later. The company issued a public update acknowledging the incident but provided limited details on the exact nature of the accessed data. Fortunately, Cisco’s own internal systems were not impacted by the breach. The compromised data was found to be stored on a public-facing DevHub environment, which is used by Cisco to share software code and scripts with its community. According to Cisco, a small number of unauthorized files were published during the incident.

While there is no evidence to suggest that personal identity data or financial information was illegally accessed, Cisco took precautionary measures by disabling public access to the DevHub site as the investigation continues. The threat actors who claimed responsibility for the breach stated that the stolen data included GitHub and GitLab projects, source code, Jira tickets, container images, data from AWS storage buckets, and confidential Cisco information.

The incident serves as a reminder for organizations to prioritize the security of their public-facing assets. Experts emphasize the importance of implementing measures like input validation, strong authentication tools, regular vulnerability assessments, and adherence to security best practices such as OWASP guidelines. Neglecting these precautions can leave organizations vulnerable to data breaches and cyber threats.

Jason Soroko, a senior fellow at Sectigo, notes that many organizations underestimate the risks associated with public-facing environments and fail to prioritize secure coding practices. Proper security measures, including strict access controls, secure coding practices, and regular security assessments, can help mitigate the risk of sensitive data exposure and unauthorized access.

Eric Schwake, director of cybersecurity strategy at Salt Security, highlights the various factors that can lead to sensitive data being exposed in public-facing environments. These factors include misconfigurations, human errors, inadequate security testing, and third-party compromises. Schwake recommends a multilayered security approach that includes strict access controls, secure coding practices, and continuous monitoring to protect against unauthorized access and data exposure.

In conclusion, the Cisco data breach underscores the critical need for organizations to secure their public-facing assets and safeguard sensitive information from malicious actors. By implementing robust security measures and staying vigilant against potential threats, organizations can better protect their data and prevent cyber incidents.

Source link