Cisco has taken its DevHub website offline after a cyber attack and data breach incident. It also downplayed the value of the breach, saying it shut down the site “out of an abundance of caution.”
Recently, a well-known data leaker, aka IntelBroker, posted a new thread on the infamous BreachForums, offering Cisco data for sale.
In the thread, the hacker credited EnergyWeaponUser and zjj for the breach, stating that the archive contained Github projects, Gitlab projects, SonarQube projects, source code, hardcoded credentials, certificates, customer SRCs, confidential documents, Jira tickets, API tokens, AWS includes. private buckets, Cisco Technology SRCs, Docker builds, Azure Storage buckets, private and public keys, SSL certificates, and more.
Exposed API token
Cisco responded by saying it was investigating the breach and has now come forward with additional information.
“Based on our investigation, we are confident that no breach of our systems has occurred,” Cisco said. “We have determined that the data in question is in a public DevHub environment: a Cisco resource center that allows us to support our community by making software code, scripts, etc. available for customers to use as needed. We determined that a small number of files that were not authorized for public download may have been published.”
The announcement also states that there is no evidence that personally identifiable information (PII) or financial data is being disclosed in this manner, but Cisco is continuing its investigation.
“Out of an abundance of caution, we have blocked public access to the site while we continue to investigate.”
But IntelBroker disagrees that there was no infringement. Speaking to BleepingComputer, they said they had gained access to a remote Cisco developer environment via an exposed API token. They also told the publication that they had access to Cisco’s developer environment and even shared screenshots as proof.
“While Cisco continues to say that no systems were compromised, everything we have seen indicates that a third-party development was compromised, allowing the threat actors to steal data,” the publication concludes.
Via BleepingComputer
