Cisco has suffered a cyberattack after menace actors used stolen credentials from the current Trivy provide chain assault to breach its inside improvement atmosphere and steal supply code belonging to the corporate and its clients.
A supply, who requested to stay nameless, advised BleepingComputer that Cisco’s Unified Intelligence Heart, CSIRT, and EOC groups contained the breach involving a malicious “GitHub Motion plugin” from the current Trivy compromise.
The attackers used the malicious GitHub Motion to steal credentials and knowledge from the corporate’s construct and improvement atmosphere, impacting dozens of gadgets, together with some developer and lab workstations.
Whereas the preliminary breach has been contained, BleepingComputer was advised that the corporate expects continued fallout from the follow-on LiteLLM and Checkmarx provide chain assaults.
As a part of the breach, a number of AWS keys have been reportedly stolen and later used to carry out unauthorized actions throughout a small variety of Cisco AWS accounts. Cisco has remoted affected methods, begun reimaging them, and is performing wide-scale credential rotation.
BleepingComputer has discovered that greater than 300 GitHub repositories have been additionally cloned in the course of the incident, together with supply code for its AI-powered merchandise, equivalent to AI Assistants, AI Protection, and unreleased merchandise.
A portion of the stolen repositories allegedly belongs to company clients, together with banks, BPOs, and US authorities companies.
A number of sources advised BleepingComputer that multiple menace actor was concerned within the Cisco CI/CD and AWS account breaches, with various levels of exercise.
BleepingComputer contacted Cisco with questions concerning the breach, however has not obtained a reply to our emails.
The Trivy provide chain assault
Cisco’s breach was brought on by this month’s Trivy vulnerability scanner provide chain assault, wherein menace actors compromised the venture’s GitHub pipeline to distribute credential-stealing malware by means of official releases and GitHub Actions.
That assault enabled the theft of CI/CD credentials from organizations utilizing the software, giving attackers entry to 1000’s of inside construct environments.
Safety researchers linked these provide chain assaults to the TeamPCP menace group primarily based on using their self-titled “TeamPCP Cloud Stealer” infostealer. TeamPCP has been conducting a sequence of provide chain assaults focusing on developer code platforms, equivalent to GitHub, PyPi, NPM, and Docker.
The group additionally compromised the LiteLLM PyPI package deal, which impacted tens of 1000’s of gadgets, and the Checkmarx KICS venture to deploy the identical information-stealing malware.
Automated pentesting proves the trail exists. BAS proves whether or not your controls cease it. Most groups run one with out the opposite.
This whitepaper maps six validation surfaces, reveals the place protection ends, and gives practitioners with three diagnostic questions for any software analysis.
