Cisco takes DevHub environment offline after cyberattack

After careful consideration, Cisco has decided to close its DevHub environment, a resource center to support Cisco’s community by making parts of the company’s software code and scripts publicly available.

Last week, Cisco announced it had launched an investigation after a threat actor claimed he stole sensitive corporate data.

IntelBroker, a well-known hacker, said that he and two other attackers were able to steal confidential information, including GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, certificates, customer SRCs, confidential Cisco documents, Jira tickets, API tokens, AWS private buckets, Cisco technology SRCs, Docker builds, Azure storage buckets, private and public keys, SSL certificates, and Cisco premium products.

In an update, Cisco says it’s confident that none of its systems have been breached. However, the San Jose-based tech company found out that a small number of files may have been obtained and published that weren’t supposed to be publicly available.

To minimize the impact of the data breach and safeguard other confidential information, Cisco has decided to take its DevHub environment offline.

“Out of an abundance of caution, we have disabled public access to the site while we continue the investigation. Meanwhile, Cisco will engage directly with customers if we determine they have been impacted by this event,” the tech company says.

The investigation is still ongoing. So far there are no signals that any confidential information, such as personally identifiable information of financial data, have been obtained or misused.

IntelBroker, who spoke to BleepingComputer about the data breach, said he had gained access to Cisco’s corporate network via a third party developer environment through an exposed API token.

To prove this, the threat actor shared screenshots and files. According to the tech site this showed IntelBroker was able to access most, if not all, data that was stored on this portal. This data included source code, configuration files with database credentials, technical documentation, and SQL files.

When asked if IntelBroker tried to extort Cisco not to publish the data he had stolen, he said he didn’t. “I wouldn't trust a threat actor if they asked for money not to leak my stuff, so they shouldn’t either,” he told BleepingComputer.

IntelBroker is a well-known hacker who’s allegedly responsible for data breaches at DC Health Link, AMD, T-Mobile, Apple, Hewlett Packard Enterprise (HPE), Home Depot, and the Europol Expert Platform (EPE).