Hacker IntelBroker breache of Cisco, selling code and credentials; Cisco shuts down DevHub portal

The hacker known as Intel Broker claims responsibility for a data breach at Cisco Systems, Inc. The hacker is offering to sell the allegedly stolen data on the Breach Forums platform. The claim was posted on October 14, 2024, though it has not been independently verified at this time.

According to the post on Breach Forums, Intel Broker reportedly accessed a vast amount of sensitive data from Cisco's systems, including:

• Source Code: Critical projects hosted on platforms like GitHub, GitLab, and SonarQube.
• Hard-Coded Credentials: Login details embedded within the source code.
• Certificates and Keys: SSL certificates and private/public keys, essential for encrypted communications.
• Confidential Documents: Internal Cisco files classified as "Cisco Confidential."
• API Tokens and Storage Buckets: Access to AWS private buckets, Azure storage buckets, and other API tokens, potentially providing access to critical systems.
• Other Sensitive Information: Jira tickets, Docker builds, and proprietary Cisco premium products.

IntelBroker claims that the breach also impacted production source codes from several high-profile companies in industries ranging from telecommunications to financial services. The list of allegedly affected organizations includes:

• Telecom Companies: Verizon, AT&T (USA and Mexico), British Telecom, T-Mobile (USA and Poland), Vodafone (Albania and Australia), Turkcell.
• Financial Institutions: Bank of America, Barclays, National Australian Bank.
• Tech and Health Sectors: Microsoft, Liberty Global, Dignity Health.

The hacker is offering the stolen data for sale in exchange for the cryptocurrency Monero (XMR), known for its anonymity and privacy features.

“Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files,” a Cisco spokesperson said. “We have launched an investigation to assess this claim, and our investigation is ongoing.”

Update - As of October 18, 2024, Cisco confirmed that it took its public DevHub portal offline which was apparently hacked by "IntelBroker,". The DevHub portal is a public-facing Cisco resource center used to share software code, scripts, and other resources with customers.

Although some files were unauthorized for public download, Cisco insists that no personal or financial information was compromised. It is still unclear what customer-related data, if any, was stored on the compromised servers.

After the data leak was discovered, Cisco disabled access to the DevHub portal and other compromised developer environments to prevent further unauthorized access.

While Cisco denies that any of its core systems were breached, an ongoing investigation is underway to assess the full extent of the incident.

Update - As of 3rd of November 2024, Cisco claims that the files stolen from a misconfigured public-facing DevHub portal don't contain information that could be exploited in future breaches of the company's systems. They didn't say if the files contain data that can compromise the customers.

Update - As of 17th December 2024, IntelBroker has published a second data dump comprising 4.84 GB of sensitive assets, including: development files (Java code, binaries, archives), networking components (Cisco router images/configs), testing/operational materials (ZTP data, logs, scripts), infrastructure files (cloud disk images), and payment system credentials (Weixin Pay SDK signatures).