Short Summary:
On October 14, 2024, IntelBroker, an infamous threat actor and admin of BreachForums, claimed to have breached Cisco Systems, alleging access to sensitive data. Cisco responded by denying any compromise of their core systems, attributing the exposed data to a public-facing DevHub resource. The incident has raised concerns about the security of high-profile organizations and the ongoing threat posed by cybercriminals.
Key Points:
- IntelBroker announced a breach of Cisco on October 14, 2024, claiming access to sensitive data.
- Data allegedly obtained includes source codes, confidential documents, and customer information.
- Cisco denied any breach of core systems, stating the data was from a public-facing DevHub resource.
- IntelBroker claimed to have maintained access to Cisco’s systems for 12 days.
- Cisco engaged law enforcement and conducted an investigation into the claims.
- IntelBroker has a history of targeting high-profile organizations and is known for their presence on BreachForums.
MITRE ATT&CK TTPs – created by AI
- Initial Access (T1078)
- Use of stolen credentials to gain access to systems.
- Exploitation of Public-Facing Applications (T1190)
- Exploitation of vulnerabilities in public-facing applications to gain unauthorized access.
- Data Exfiltration (T1041)
- Transfer of sensitive data from compromised systems to external locations.
- Credential Dumping (T1003)
- Obtaining account login credentials from operating systems and software.
On October 14, 2024, IntelBroker, the notorious threat actor and current admin of popular hacker forum, BreachForums, claimed to have breached Cisco Systems. The actor, well-known for targeting high-profile organizations, shared details of the breach, asserting access to sensitive data, including source codes and internal documents.
Cisco promptly responded, denying any compromise of their core systems and attributing the exposed data to a public-facing DevHub resource. Despite these reassurances, IntelBroker insisted they maintained access until October 18, when Cisco reportedly revoked all remaining access. The details of the Cisco breach, the company’s investigation, and IntelBroker’s claims will be examined further in this blog.
IntelBroker Claims to Have Breached Cisco
On October 14, IntelBroker, the notorious admin of BreachForums, announced a breach of Cisco Systems, Inc. on the popular hacker forum. IntelBroker asserted that the Cisco breach took place on October 6, offering the stolen data for sale.
In the forum post, IntelBroker detailed the types of data they claim to have obtained:
- GitHub and GitLab projects
- SonarQube projects
- Source code and hard-coded credentials
- Certificates and customer Secure Remote Connections (SRCs)
- Cisco confidential documents, Jira tickets, API tokens, AWS private buckets
- Docker builds, Azure Storage buckets, private & public keys
- SSL certificates, Cisco premium products
The actor also claimed to have accessed data linked to major companies, listing names like Microsoft, AT&T, Barclays, British Telecom, Bank of America, Verizon, Vodafone, BT, SAP, and T-Mobile. To support these claims, IntelBroker shared several screenshots, purportedly showing access to management interfaces, internal documents, databases, and even customer information.
SOCRadar’s Advanced Dark Web Monitoring is an essential cybersecurity module that tracks potential risks in the Dark Web. It offers real-time alerts for PII exposures, stealer logs, and underground chatter, enabling proactive measures before incidents escalate.
The platform also includes fraud and VIP protection, safeguarding financial assets and executives’ digital identities. The integrated Dark Web Search Engine provides keyword searches for deep threat analysis.
Additionally, SOCRadar Dark Web News delivers curated intelligence on Dark Web activities, keeping users informed about emerging threats specific to their industry or region. This comprehensive approach allows organizations to detect and respond swiftly to evolving cyber risks.
Response to the Alleged Cisco Breach
Cisco quickly responded to IntelBroker’s claims, issuing an initial statement on October 15, 2024, titled “Cisco Event Response: Reports of Security Incident.” In this response, Cisco stated:
“Cisco is investigating reports that an unauthorized actor is alleging to have gained access to certain Cisco data and data of our customers. Cisco takes this allegation seriously and we have engaged law enforcement as part of this investigation. To date, our investigation has found no evidence of our systems being impacted. We will notify customers if we confirm that the actor has obtained their confidential information.”
In a follow-up statement released on October 18, 2024, Cisco reiterated that there was no breach of their core systems:
“We have determined that the data in question is on a public-facing DevHub environment. As of now, we have not observed any confidential information such as sensitive PII or financial data.”
The statement emphasized that Cisco had engaged law enforcement and was conducting a thorough investigation. The company confirmed that no sensitive information, such as Personally Identifiable Information (PII) or financial data, was detected among the exposed files. Cisco clarified that the data in question originated from DevHub, a public-facing resource center designed to support the community by sharing software code and scripts. To mitigate potential risks, Cisco temporarily disabled access to DevHub.
IntelBroker’s Social Media Reactions: Claiming 12 Days of Access to Cisco Systems
IntelBroker used Twitter to amplify their breach claims and criticize Cisco’s response, while also attempting to highlight their own persistence. In their initial BreachForums post, IntelBroker stated that the Cisco breach occurred on October 6, though the exact entry date remains unclear. Despite this uncertainty, IntelBroker asserted on social media that they maintained access to Cisco’s systems until October 18, claiming a total of 12 days inside.
The first Twitter post from IntelBroker came on October 16, suggesting that they still had ongoing access to Cisco’s systems, thereby casting doubt on the effectiveness of Cisco’s containment measures.
On October 18, IntelBroker announced that Cisco had successfully revoked all access, citing the shutdown of Docker, Maven Hub, and SSH entry points. By framing this as a delayed action, IntelBroker aimed to publicly undermine Cisco’s response, positioning themselves as a resilient threat capable of sustaining access against one of the largest tech firms. The social media posts were part of a broader strategy to enhance IntelBroker’s reputation among cybercriminals while creating doubts about Cisco’s transparency and incident response management.
Who is IntelBroker: From Notorious Breacher to BreachForums Admin
IntelBroker’s claim to have accessed Cisco’s systems isn’t an isolated event; it’s part of a long history of breaches targeting high-profile organizations. Initially, IntelBroker gained recognition as one of the most active members on BreachForums, associated with other notorious cybercriminals like ShinyHunters and USDoD. Emerging in late 2022, IntelBroker became widely known in 2023 after alleged breaches of Weee Grocery Service, Europol, Autotrader, Volvo, Hilton Hotels, and AT&T. While not all breaches could be independently verified, many were confirmed leaks, boosting IntelBroker’s reputation within the cybercriminal community.
In May 2024, IntelBroker rose to admin status on BreachForums, following significant events that disrupted the forum’s leadership. Law enforcement captured Baphomet, the former admin, leading to a power vacuum within the community. ShinyHunters, another prominent figure, stepped down, leaving IntelBroker to fill the gap. This transition marked a new phase for IntelBroker, positioning them as both a key figure in the forum’s operations and one of the most active participants in its illicit activities.
Beyond BreachForums, IntelBroker’s involvement extends to the racist cybercrime group CyberNiggers. The group gained notoriety in 2023 for its coordinated cyberattacks. Though IntelBroker initially joined as a member, they soon became a driving force behind the group’s most significant breaches, distinguishing themselves within its ranks. The group’s activities ceased for a time, but IntelBroker revived it on August 9, 2024, uniting some of BreachForums’ most active threat actors under a new banner.
The Cisco incident is the latest chapter in IntelBroker’s evolving tactics and targets. The actor’s ability to consistently breach prominent organizations and maintain public visibility, even on platforms like Twitter, highlights a strategic approach that combines technical skill with psychological pressure. IntelBroker’s pattern of targeting organizations like Cisco suggests a broader agenda: not just data theft, but a reputation built on high-profile intrusions that challenge corporate security measures and reveal potential vulnerabilities.
Source: Original Post