On August 10, 2022, Cisco confirmed that the Yanluowang ransomware group breached its network in the month of May,2022 and threaten the company by claiming to leak all stolen data if the demanded ransom was not paid. Cisco said, after detecting suspicious activities in the network, the company immediately took appropriate action to stop the cyberattack and this cyber incident did not affect their business including Cisco products or services, and no sensitive customer data or sensitive employee information was leaked, and not affected by any supply chain operations. Since threat actors claimed to have stolen 2.75GB of data and leaked exfiltrated files in the underground hacking forums, Cisco implemented strong security measures to protect the systems and network. As per reports, the Yanluowang threat actors breached Cisco's network using credentials stolen from the employee's account synced to the browser. These credentials were compromised by using the MFA fatigue technique that tricked Cisco employees into accepting push notifications from trusted support organizations. After the victim accepted a notification, the hackers allowed to access the VPN and attempted to move laterally to Citrix servers and domain controllers. After gaining access to domain controllers, hackers utilized enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and dropped multiple payloads onto the compromised systems, including a backdoor malware. Although Cisco detected and removed the bad actors from the network, threat actors made attempts to gain access to the previously infected network and tried to perform other malicious activities. In order to detect the malware used in the attack, Cisco released a new ClamAV tool that detects backdoor and a Windows exploit used for privilege elevation in the network. Furthermore, Cisco said there was no evidence of ransomware payloads detected during the attack, despite the Yanluowang gang known for encrypting the files. The TTP used by threat actors during the network breach was pre-ransomware activities used to deploy ransomware payload in the infected network.