On October 15, 2024, Cisco issued a public statement acknowledging reports of an alleged security incident involving the unauthorized access of specific Cisco data and data belonging to its customers. While Cisco has maintained that no breach of its core systems occurred, the evolving situation highlights companies' persistent challenges in balancing transparency and security.
Cisco's initial communication indicated that the company was investigating the claims of a hacker who alleged access to Cisco's internal data. The company assured customers that it found "no evidence of our systems being impacted," and that law enforcement had been engaged in the ongoing investigation. However, on October 18, Cisco updated its findings, stating that the exposed data was on a public-facing DevHub portal. This resource center distributed software code and scripts for customer use.
In this update, Cisco clarified that while "a small number of files that were not authorized for public download may have been published," the company had seen no signs of compromised sensitive data—such as personally identifiable information (PII) or financial records. As a precaution, the company temporarily disabled public access to the DevHub portal while continuing to investigate.
The threat actor at the center of the incident, IntelBroker, provided a different perspective. According to an interview with Bleeping Computer, IntelBroker claimed they gained access to Cisco's systems via an exposed API token in a third-party developer environment. The hacker asserted that they had access to various sensitive files, including source code, database credentials, technical documentation, and SQL files. Screenshots of these files were shared with Bleeping Computer and Cisco, allegedly proving the level of access obtained.
Despite these claims, Cisco has held that its core systems were not compromised and that the incident was limited to the public DevHub portal. IntelBroker expressed frustration at Cisco's handling of the situation, sharing that they had access to the environment until the portal was taken offline and that Cisco had been slow to acknowledge the breach fully.
While IntelBroker did not attempt to extort Cisco, it reportedly sold the stolen data on a hacking forum, raising concerns about the breach's long-term risks.
Cybersecurity experts have weighed in on the situation, emphasizing the potential dangers the breach poses, even if Cisco's internal systems were not directly affected.
Eric Schwake, Director of Cybersecurity Strategy at Salt Security, underscored the importance of addressing vulnerabilities in public-facing environments. "Even if the compromised environments were meant to be public-facing, exposing sensitive information such as source code, credentials, and API tokens can have significant security implications," Schwake explained. He cautioned that attackers often use exposed information as a foothold to pivot to more sensitive systems. In this case, the risk lies in the potential for attackers to exploit vulnerabilities in the leaked code or use hardcoded credentials to access more critical resources.
Schwake also highlighted the need for robust API security, particularly in environments like Cisco's DevHub portal. "Organizations should prioritize robust authentication and authorization, maintain a complete API inventory, build out API posture governance controls, and use continuous monitoring and threat detection to prevent unauthorized access and data breaches," he said.
Jason Soroko, Senior Fellow at Sectigo, echoed these concerns, noting that the exposed data still presents a significant risk. "Public-facing environments are often seen as less critical, but in reality, they can expose sensitive information that serves as stepping stones to deeper intrusions," Soroko said. He pointed out that even though Cisco's core systems were reportedly unaffected, the exposure of source code, API tokens, and credentials could be leveraged in future attacks.
Soroko also warned of the potential long-term impact on customer trust. "The real issue with these types of breaches is twofold. First, the trust erosion as companies minimize the impact, and second, the potential for the stolen data to be used in more dangerous exploits or sold on dark web forums," he added.
This incident sheds light on the complex nature of incident response in cybersecurity. On one hand, Cisco's swift action—engaging law enforcement, disabling the affected portal, and providing customer updates—demonstrates a proactive approach to mitigating the threat. On the other hand, the hacker's continued access to the environment, combined with frustration over Cisco's public statements, raises questions about the timing and transparency of the company's communications.
The situation also underscores the importance of securing development environments and API tokens, which can serve as gateways to more sensitive data. Even public-facing environments require robust security protocols to prevent attackers from gaining access to crucial resources.
While Cisco maintains that its core systems were not breached, the exposure of sensitive data on its DevHub portal has far-reaching implications. The involvement of a sophisticated hacker, the sale of stolen data, and the concerns raised by cybersecurity experts all point to the importance of securing public-facing environments and being transparent with customers.
Follow SecureWorld News for more stories related to cybersecurity.