On October 18, Cisco announced that “out of an abundance of caution,” they had disabled public access to its DevHub portal until their investigation was concluded. The announcement comes just days after Cisco opened an investigation into the allegations made by the black hat hacker IntelBroker on Breach Forums (a popular platform among bad actors).
A week earlier, IntelBroker published a post on Breach Forums. In the post, he claimed he was selling Cisco data obtained by a hack done by himself and the hackers [@]EnergyWeaponUser and [@]Modzjj
The breach, if true — and most experts believe it is — strikes a chord by targeting Cisco’s developer portal, where engineers, IT, and experts build software, apps, and other code for a wide range of companies. The organizations include Amazon, Samsung, Disney, Apple, IBM, the United States military, and hundreds of other organizations.
Cisco denies a serious breach and goes into offense, shutting down its DevHub
The threat actor, IntelBroker, has gone on the record as Cisco attempts to downplay an alleged breach and data leak.
IntelBroker is believed to have Serbian nationality and resides in Russia. Unlike other cybercriminal actors or cyber gangs, IntelBroker exhibits the traits of a more independent actor, operating in the intelligence black market, selling illegally obtained data.
IntelBroker claims that the data exfiltrated in the Cisco attack include Github, Gitlab, and SonarQube projects, source code, hard-coded credentials, certificates, Cisco confidential documents, Jira tickets, API tokens, AWS Private buckets, Azure storage buckets, private and public keys, SSL Certificates, and other details.
Cybersecurity media experts who analyzed a sample of the data that IntelBroker made available have concluded that the allegations of the attack are “believable.” The full extent of the data currently being sold to the highest bidder on Breach Forums is unknown.
If the data does include what IntelBroker claims, it represents a serious risk for Cisco and its partners. With the data, hackers could run supply chain attacks, modify code, and steal unreleased software. They could also disrupt services, sell trade secrets, extort companies, infiltrate and breach systems, cause damage to users, and much more.
IntelBroker speaks to tech media “to set the record straight”
While Cisco claimed that their investigation at this date determined that only a small number of non-public files were exposed, the hacker IntelBroker had something else to say.
Speaking to Bleeping Computer on October 18, IntelBroker said he gained access to the Cisco environment through an exposed API token.
Frustrated because Cisco did not recognize the gravity of the security incident, IntelBroker shared screenshots with Bleeping Computer to prove how much access to the system he had obtained.
Bleeping Computer’s analysis of IntelBroker’s screenshot concluded that “the threat actor had access to most, if not all, of the data” on the DevHub.
As mentioned, this data included source code, configuration files with database credentials, technical documentation, and SQL files. Cisco says that they continue to investigate the issue. The company has no indications that personal customer data may have been accessed.
IntelBroker said he would not be extorting Cisco.
“I wouldn’t trust a threat actor if they asked for money not to leak my stuff, so they shouldn’t either,” IntelBroker told BleepingComputer.
The Cisco breach and ongoing weaknesses of massive corporate digital attack surfaces
Cisco’s “ongoing investigation” and “no widespread breach” claims are not original. These damage control communications are the norm in the industry when a major breach happens.
The big problem for Cisco and every other big tech corporation is that they have a massive global digital attack surface.
A supply chain like Cisco’s has hundreds of partners, who in turn have hundreds more partners. This makes it challenging to monitor. These types of infrastructures provide countless opportunities to exploit vulnerabilities. The sheer scale of these supply chains makes them “heavy.” In the face of a breach, they struggle to pivot and patch.
IntelBroker has historically claimed responsibility for various high-profile cyberattacks. These have included the breach of the Los Angeles International Airport, General Electric, DC Health Link, Volvo Cars, Hewlett Packard Enterprise (HPE), Apple, AT&T, Verizon, and others.
All of IntelBroker’s operations follow the same business model. These include exploitation of vulnerabilities in large supply chains, breach of systems, exfiltration of data, and marketing of stolen intelligence data in the underground black market. IntelBroker’s operations display traits that align more with corporate espionage than with nation-state cyber espionage.
What does the Cisco breach mean for Apple users?
Apple and Cisco have a history of collaboration, particularly in the areas of networking and video conferencing. To date, Cisco network enhancements operate in Macs, iPhones, iPads, and Apple Vision Pro. This means Cisco developers’ features and code run on all Apple devices.
Apple and Cisco also work together to optimize Wi-Fi connectivity, improve voice and collaboration on iOS devices, prioritize business apps, and provide Cisco video meeting features.
Cisco has provided networking hardware for Apple’s data centers and corporate infrastructure. Additionally, Cisco offers apps for all Apple devices via the official App Store.
It’s worth noting that while Apple and Cisco have collaborated in the past, their relationship has evolved over time. The specific nature of their current projects may not be publicly disclosed. However, given their shared interest in technology and innovation, it’s likely that they continue to explore opportunities for cooperation.
Final thoughts on Apple users’ security
For Apple users, the Cisco breach does not represent a direct threat at this time. However, it is vital to keep an eye on the news, as this may change in the near future. It is unknown what data IntelBroker is selling or how that data can be used by bad actors to target Apple and its users.
To stay safe and remain one step ahead of the attacker, we recommend that Apple users remain vigilant. Be on the lookout for any suspicious behaviors on their devices and accounts. Additionally, they should take appropriate measures to secure their device if they believe it has been compromised.
Apple users should also familiarize themselves with Cisco apps and features that they may use. These could be on their iPhones, iPads, Macs, and Vision Pro devices. These include video meeting apps, hybrid work apps, and network features.
If you notice that one or more of these apps is acting up, asking for strange access permissions, crashing, or glitching, check for updates, review app permissions, run anti-malware, and enable strong security measures like MFA. Additionally, contact Apple security to report an incident or get help.
The Cisco breach represents another “too big to fail” cybersecurity paradox. As mentioned, global tech companies continue to expand, grow, and scale, and with this expansion, their digital surface weakens. They become slow and vulnerable to attacks run by agile hackers like IntelBroker.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. The Apple App Store is a trademark of Apple Inc.
