In July 2025, Cisco experienced a security breach involving a vishing attack that successfully targeted an internal employee. The breach led to unauthorized access and data exfiltration from a third-party cloud-based CRM platform, impacting user accounts on Cisco.com. While no critical infrastructure or sensitive enterprise data was accessed, the incident highlights the persistent risks posed by social engineering and third-party service dependencies.
Severity Level: High
Incident Overview
- Incident Type: Voice phishing (vishing)
- Date Discovered: July 24, 2025
- Targeted System: One instance of a cloud-based Customer Relationship Management (CRM) system (likely Salesforce)
- Response Actions from Cisco:
- Immediate termination of threat actor access
- Internal investigation launched
- Authorities and affected users notified
- Security awareness re-training for staff
How The Breach Happened
A Cisco employee was socially engineered via a vishing attack, allowing the attacker to gain access credentials or session-based access to a third-party CRM system. This method allowed the adversary to:
- Log in to a CRM instance used by Cisco
- Search and export user profile data
- Avoid triggering traditional malware or endpoint security alerts
The attacker did not exploit a technical vulnerability but instead leveraged human manipulation tactics (vishing) to infiltrate Cisco’s environment via a trusted access channel.
Data Exposed During The Breach
The breach exclusively affected registered users of Cisco.com, and involved the export of basic profile data:
- Full name
- Organization name
- Physical address
- Cisco-assigned user ID
- Email address
- Phone number
- Account metadata (e.g., account creation date)
No passwords, sensitive enterprise information, financial data, or Cisco products/services were compromised.
Association With Larger Campaign
- Cisco’s breach may be part of a broader wave of vishing attacks against Salesforce instances.
- Other high-profile victims: Adidas, Qantas, Allianz Life, LVMH brands, Chanel, Pandora
- Suspected campaign origin: ShinyHunters group using social engineering and vishing to exfiltrate CRM data.
Lessons Learned
- Even well-trained personnel can fall for voice-based phishing; security training must extend beyond email phishing to include real-world voice-based social engineering scenarios.
- SaaS platforms like CRMs represent a significant risk if not tightly integrated into internal security monitoring.
Recommendations
- Perform Continuous Risk Assessments on third-party platforms, especially those storing customer data (e.g., CRM systems like Salesforce).
- Enforce Multi-Factor Authentication (MFA) on all Salesforce and related SaaS accounts—prefer hardware tokens or app-based authenticators over SMS.
- Restrict OAuth App access to pre-approved applications only using app whitelisting features in Salesforce and identity providers.
- Regularly audit and remove unused or risky OAuth-connected applications from Salesforce and third-party ecosystems.
- Configure Salesforce Connected App Policies to limit token scope, session duration, and permitted users.
- Conduct vishing and phishing simulation exercises specifically focused on SaaS platforms and OAuth workflows.
- Provide contextual training to employees (especially customer service and IT) about malicious OAuth consent prompts.
- Limit Scope of Data Stored in SaaS platforms to only what is strictly necessary.
- Enable Salesforce Shield or third-party logging tools to monitor for:
- Unusual API activity
- New OAuth app authorizations
- Bulk data exports
Source:
- https://www.bleepingcomputer.com/news/security/cisco-discloses-data-breach-impacting-ciscocom-user-accounts/amp/
- https://sec.cloudapps.cisco.com/security/center/resources/CRM-vishing
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn
No related posts found.