|

Cisco Breach: Kraken Ransomware Group Allegedly Leaks Internal Credentials (NTLM Hashes, Domain Accounts)

ByInnoVirtuoso

If a company that builds the world’s networking backbone can have its credentials leaked, what does that say about the rest of us? The alleged Cisco breach—claimed by the Kraken ransomware group and reported to include usernames, NTLM password hashes, and domain credentials—should make every security leader pause. Not because “no one is safe” (we’ve known that), but because identity is still the soft underbelly of enterprise security, and Active Directory compromise remains the fastest path to ransomware detonation.

In this deep dive, we’ll unpack what’s known so far, why leaked NTLM hashes and domain credentials are uniquely dangerous, and the concrete steps you can take today to reduce your blast radius. We’ll also outline a pragmatic 30/60/90-day plan to harden identity, tighten segmentation, and bolster ransomware resilience—without stalling the business.

Note: Details continue to evolve. This article references public reporting and security best practices. Always verify with official vendor communications before taking action.

What We Know So Far

  • Reporting: According to DIESEC’s February 14, 2025 roundup, the Kraken ransomware group claims to have compromised Cisco’s internal network and leaked credentials, including usernames, NTLM password hashes, and domain accounts.
  • Risk profile: Leaked domain credentials are a direct enabler for privilege escalation, lateral movement, and ransomware deployment—especially if attackers gained or can derive Active Directory (AD) access.
  • Impact uncertainty: At the time of writing, public information does not confirm customer data exposure. However, leaked corporate credentials can be used for follow-on attacks, social engineering, and potential supply chain intrusion attempts.

For official notices, monitor the Cisco Security Advisories page: Cisco PSIRT Advisories & Alerts.

Why NTLM Hashes and Domain Credentials Are So Dangerous

When attackers obtain NTLM hashes and domain account details, several doors open—fast.

  • Pass-the-Hash (PtH): NTLM allows authentication using the hash as a credential. If NTLM is enabled, attackers can laterally move without cracking the password, simply by reusing the hash on systems that accept it.
  • Offline cracking: NTLM hashes can be cracked offline with commodity GPUs. Weak, reused, or patterned passwords often fall quickly—especially if organizations don’t enforce long, unique, random strings for privileged and service accounts.
  • Credential reuse: Users commonly reuse passwords across systems and vendors. Leaked enterprise passwords may also unlock customer portals, support consoles, or partner VPNs.
  • Privilege escalation: With one foothold, attackers can hunt for tokens, cached credentials, or misconfigurations to elevate privileges—ultimately targeting Domain Admin or equivalent Tier 0 assets.
  • Lateral movement: From a compromised workstation, attackers pivot to servers, domain controllers, and cloud identity, then deploy ransomware broadly.

Active Directory Is the Blast Multiplier

AD remains the central nervous system of most enterprises. Once attackers get AD privileges, they can:

  • Abuse Kerberos (e.g., DCSync to extract password data; Golden Ticket by abusing the krbtgt account; Kerberoasting to crack service accounts).
  • Alter Group Policy Objects (GPOs) to push malicious scripts or disable security controls.
  • Create backdoor accounts, persistence mechanisms, or rogue certificates if AD CS is present.
  • Distribute ransomware rapidly via administrative tools, scripts, or software deployment mechanisms.

This is why leaked domain credentials and NTLM hashes are more than just “passwords on the internet”—they are accelerants for a complete domain takeover.

Who Could Be Affected?

  • Cisco internal systems and staff: If AD access was compromised, Cisco’s internal identity ecosystem would be the immediate concern.
  • Partners and suppliers: Attackers often pivot via vendor relationships. Phishing and social engineering leveraging leaked internal details are common.
  • Customers: There’s no confirmation of customer compromise based on public reporting; however, attackers may try credential stuffing or impersonation on Cisco portals or partner interfaces.

Organizations that rely on Cisco products should be prepared for targeted phishing that references this event, impersonation attempts purportedly from “Cisco Support,” and probes against Cisco-related SSO or support accounts.

Immediate Actions Security Leaders Should Take

Even if you have no direct exposure, treat this as a real-world stress test for your identity and ransomware readiness.

1) If Your Organization Uses Cisco Portals or Services

  • Rotate credentials: Change passwords for Cisco-related accounts and ensure they are unique and long (passphrases >14 characters).
  • Enforce MFA: Turn on phishing-resistant MFA (FIDO2/WebAuthn) for any Cisco-facing admin or support accounts.
  • Review access tokens and API keys: Reissue and rotate any API credentials or automation tokens tied to Cisco services.
  • Monitor for suspicious logins: Enable geo-velocity, impossible travel, and new-device alerts for Cisco SSO or support portals.
  • Watch for phishing: Expect socially engineered emails claiming to be “urgent Cisco security notifications.” Validate via the official Cisco PSIRT.

2) If You Operate Active Directory

Harden identity now. Focus on changes with the highest blast-radius reduction.

  • Disable or restrict NTLM:
  • Gradually enforce “Kerberos-only” where possible.
  • Use Microsoft’s guidance for staged NTLM restriction and auditing: Restrict NTLM in this domain.
  • Enforce LDAP signing and channel binding:
  • Prevent credential leakage and tampering: LDAP signing requirements.
  • Rotate and rationalize privileged credentials:
  • Enumerate Domain Admins and Enterprise Admins; minimize membership dramatically.
  • Rotate sensitive accounts; consider two consecutive rotations for krbtgt per Microsoft guidance: Understanding and resetting the krbtgt password.
  • Move to managed credentials:
  • Use gMSA for services: gMSA overview.
  • Deploy Microsoft LAPS for local admin rotation: LAPS overview.
  • Improve encryption and signing:
  • Require SMB signing on servers and critical systems: SMB signing.
  • Prefer Kerberos AES and disable weaker encryption where feasible: Kerberos encryption types.
  • Segregate Tier 0:
  • Use Privileged Access Workstations (PAWs) for admins.
  • Block administrative logon to lower-trust tiers (servers/workstations) from Tier 0 accounts.
  • Strengthen MFA and conditional access:
  • Phishing-resistant MFA for admins (FIDO2).
  • Conditional access policies that require compliant devices and trusted locations.

3) Detection, Threat Hunting, and Monitoring

Assume some credentials are in the wild. Focus on identity-centric detections.

  • Domain Controller visibility:
  • Use Microsoft Defender for Identity (MDI) or equivalent: What is MDI.
  • Ingest key Windows Security Events into SIEM: 4624/4625 (logons), 4672 (admin logon), 4768/4769/4771/4776 (Kerberos/NTLM), 4648 (logon with explicit credentials), 4740 (lockout).
  • Monitor 4662 and Directory Services logs for DCSync patterns (replication requests with Replication-Get-Changes permissions).
  • Hunt for common AD attack patterns:
  • Spikes in TGS requests (4769), especially for service accounts without AES or with old RC4 tickets.
  • New admin group memberships (4728/4729/4732/4733).
  • GPO changes (4739/5136) outside approved windows.
  • New services created (7045), scheduled tasks, or unsigned scripts from SYSVOL.
  • Deploy canaries:
  • Honey accounts and credentials with alerting if authenticated.
  • Canary shares and files on high-value segments.

Map your detections to ATT&CK to close gaps: MITRE ATT&CK.

4) Ransomware Resilience and Recovery

If identity fails, recovery speed determines impact.

  • Backups you can trust:
  • Follow 3-2-1-1-0: three copies, two media, one offsite, one immutable/air-gapped, zero restore errors.
  • Test restores of critical systems, including domain controllers and core apps.
  • AD forest recovery readiness:
  • Maintain and rehearse a documented plan: AD Forest Recovery Guide.
  • Application allowlisting and macro controls:
  • Enforce allowlisting on servers and PAWs.
  • Block internet macros and unsigned scripts in sensitive tiers.
  • Patch exposure points:
  • Prioritize domain controllers, VPNs, EDR, management consoles, and network devices.
  • Incident communications:
  • Pre-draft stakeholder notices.
  • Coordinate with legal and privacy teams on regulatory obligations.

For broader ransomware guidance, see CISA’s resource hub: Stop Ransomware.

Strategic 30/60/90-Day Hardening Plan

A practical sequence to make meaningful improvements without boiling the ocean.

Day 0–30: Stabilize Identity and Reduce the Biggest Risks

  • Inventory and reduce privilege:
  • Enumerate all Tier 0 assets and privileged groups. Remove non-essential members.
  • Rapid credential hygiene:
  • Rotate high-risk accounts (Domain Admins, service accounts).
  • Deploy LAPS for local admin passwords.
  • Contain NTLM:
  • Turn on NTLM audit. Block NTLM where it won’t break critical workflows.
  • MFA and PAWs:
  • Enforce phishing-resistant MFA for admins.
  • Stand up Privileged Access Workstations for Domain Admins.
  • Baseline and alert:
  • Centralize critical Windows event logs.
  • Establish baseline and anomaly alerts for AD changes and logons.

Day 31–60: Segment, Automate, and Standardize

  • Tiered access model:
  • Implement Tier 0/1/2 segmentation. Block lateral movement into Tier 0 from lower tiers.
  • Managed service identities:
  • Migrate service accounts to gMSA wherever supported.
  • Policy hardening:
  • Enforce LDAP signing/channel binding, SMB signing, and Kerberos AES.
  • PAM and JIT:
  • Introduce privileged access management with just-in-time elevation and credential check-out.
  • Improve detection depth:
  • Deploy MDI or equivalent identity sensors; enrich SIEM with DC replication and Kerberos analytics.

Day 61–90: Eliminate Legacy Debt and Build Resilience

  • Disable legacy auth:
  • Where feasible, fully disable NTLM in the domain.
  • Passwordless for admins:
  • Roll out FIDO2 security keys to Tier 0 personnel: FIDO2 overview.
  • Forest recovery and clean room:
  • Finalize an AD forest recovery plan and test in a clean-room environment.
  • Microsegmentation:
  • Enforce identity- and application-aware segmentation to limit east–west traffic.
  • Red/Purple team exercises:
  • Validate controls against AD compromise and ransomware deployment scenarios.

Align your program with recognized frameworks for auditability and maturity tracking: – CIS Critical Security Controls v8NIST SP 800-63B Digital Identity Guidelines

Supply Chain and Customer Implications

While there’s no public confirmation of customer impact as of this writing, attackers routinely turn leaked internal details into:

  • Highly credible spear phishing that mimics vendor communications.
  • Credential stuffing against vendor portals and support consoles.
  • Attempts to access shared labs, demo environments, or partner VPNs.

What you can do:

  • Validate any “urgent support” requests via official channels—not links in email.
  • Enforce unique passwords and MFA for all vendor-facing accounts.
  • Review and minimize vendor access into your environment; segment and monitor it like any untrusted zone.
  • Subscribe to vendor advisories and ISAC alerts for rapid updates.

The Bigger Lesson: Identity Is the New Perimeter

Year after year, breaches reinforce the same truth: adversaries don’t need zero-days if they can get valid credentials. When identity falters, so does everything else. The path forward isn’t a single product—it’s layered, disciplined execution across people, process, and architecture:

  • Eliminate legacy protocols (NTLM) and weak crypto.
  • Treat Tier 0 like a crown jewel with dedicated workstations and airtight policies.
  • Make credentials short-lived (JIT), managed (gMSA/LAPS), and hard to phish (FIDO2).
  • Instrument identity: collect the right logs, hunt for the right patterns, and rehearse recovery.

Helpful Resources

FAQs

Q: What happened in the Cisco incident? A: Public reporting from DIESEC states the Kraken ransomware group claims to have breached Cisco’s internal network and leaked credentials, including NTLM password hashes and domain accounts. Details may evolve; monitor Cisco PSIRT for official updates.

Q: Why are NTLM hashes a big deal? A: NTLM allows “pass-the-hash” attacks, where a valid hash can be reused to authenticate without knowing the plaintext password. Hashes can also be cracked offline if the passwords are weak or reused.

Q: Does this mean customer data was exposed? A: There’s no public confirmation of customer data exposure as of this writing. However, leaked credentials increase risks of phishing, impersonation, and attempts to access vendor portals or partner networks.

Q: What immediate steps should Cisco customers take? A: Change Cisco-related passwords (use unique, long passphrases), enforce MFA (preferably FIDO2) on admin/support accounts, monitor for suspicious logins and phishing, and follow official advisories from Cisco PSIRT.

Q: How do I reduce the impact of leaked domain credentials in my environment? A: Disable or restrict NTLM, enforce LDAP signing and SMB signing, rotate privileged and service account credentials, adopt gMSA and LAPS, implement PAWs, and enforce phishing-resistant MFA for admins.

Q: Is it safe to completely disable NTLM? A: It’s the goal, but do it in phases. Start with auditing to discover dependencies, then restrict NTLM for nonessential systems before fully disabling it. Microsoft provides staged guidance: Restrict NTLM.

Q: What is DCSync and how do I detect it? A: DCSync is an attack technique where an adversary with certain directory privileges impersonates a domain controller to request password data. Detect via 4662 Directory Service events on domain controllers and monitor for Replication-Get-Changes permissions usage.

Q: Should I reset all passwords after a credential leak? A: Prioritize privileged accounts, shared/service accounts, and any accounts overlapping with leaked contexts. Use a risk-based approach; rotate krbtgt twice if you suspect AD compromise, following Microsoft guidance.

Q: How can we defend against Kerberoasting? A: Enforce strong, random passwords for service accounts or migrate to gMSA; prefer AES encryption; monitor for unusual spikes in TGS requests (Event ID 4769), and avoid assigning SPNs to highly privileged accounts.

Q: Does MFA stop pass-the-hash? A: MFA helps for interactive and remote access, but PtH can still succeed on protocols that don’t enforce MFA (e.g., legacy protocols). Eliminate NTLM where possible, require SMB signing, and use PAWs and segmentation to limit PtH blast radius.

Q: What frameworks should we align to for identity hardening? A: Use CIS Controls v8 for prioritized safeguards, NIST SP 800-63B for identity assurance, and map detections to MITRE ATT&CK.

The Bottom Line

Credentials are the keys to your kingdom—and when they leak, the timeline to ransomware can shrink from weeks to hours. Whether or not your organization is directly affected by the alleged Cisco breach, treat it as a wake-up call to:

  • Rein in NTLM and legacy auth,
  • Harden and segment Tier 0,
  • Move to managed, just-in-time, phishing-resistant admin access,
  • Instrument identity for early detection,
  • And rehearse how you’ll recover your directory on your worst day.

Assume breach. Reduce blast radius. Make identity your strongest control—not your weakest link.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!