If Cisco Can Get Hacked, So Can You: The Trust Problem in Cybersecurity

Cisco is one of the most trusted names in technology. Their routers, switches, and security products run the backbone of American infrastructure, from hospitals to banks to government agencies. If there is a company you would expect to have their security figured out, it is Cisco.

This week, Cisco confirmed that attackers breached their internal development environment, stole source code, cloned over 300 private repositories, and accessed AWS accounts. The source code included their AI products and, more troubling, code belonging to their customers, including banks and government agencies.

The attack did not start with Cisco. It started with a tool Cisco trusted.

The Tool You Trust Is the Tool They Target

The attackers compromised Trivy, an open source vulnerability scanner used by thousands of organizations to check their own systems for security flaws. They poisoned the tool at the source, injecting credential stealing malware into its official releases and its GitHub automation pipeline. Every organization running Trivy was unknowingly handing their credentials to the attackers.

Think about that for a moment. Cisco was running a security tool designed to find vulnerabilities, and that tool is what let the attackers in. The very thing they trusted to keep them safe became the door.

This is called a supply chain attack, and the group behind it, tracked as TeamPCP, did not stop at Trivy. They hit Checkmarx, LiteLLM, and dozens of other developer tools in a coordinated campaign. If your business uses any third party tools, plugins, or integrations, and every business does, you are exposed to the same kind of risk.

If Cisco, with their dedicated incident response teams, their security operations center, and their billions in resources cannot blindly trust the tools in their environment, what makes any of us think we can?

What We Are Seeing on the Ground

While the Cisco story was breaking, our team spent the past week doing hands on incident response and remediation for businesses right here in Connecticut. Not Fortune 500 companies. Small and mid sized businesses using Microsoft 365, with MFA enabled, who still got compromised.

The two attack methods we are seeing repeatedly are cellular cloning and token hijacking. Both exploit a false sense of security that comes from thinking you have done enough just by turning on multi factor authentication.

With cellular cloning, attackers duplicate a target's mobile phone number so they receive the SMS verification codes. In one case we remediated, the attacker got the user's password through a phishing email, triggered an MFA challenge, and intercepted the text message code because the number had been cloned. From there, they set up email forwarding rules, installed rogue OAuth applications, and operated inside the account undetected.

With token hijacking, the attack is even more sophisticated. Attackers use phishing proxies that sit between the user and the real login page. The user enters their credentials, approves the MFA push on their authenticator app, and everything looks normal. But the proxy captures the session token in real time. The attacker then replays that token from their own machine, and they are in. MFA was satisfied. The session is valid. In one of our cases, a user in Connecticut approved a legitimate looking MFA prompt, and within minutes an attacker on the other side of the country was accessing the account using that same session.

A password reset does not fix this. The attacker is not using the password anymore. They are using the token.

This Is Not Just a Microsoft Problem

If your business runs on Google Workspace and you are thinking this does not apply to you, it does. Token hijacking and session theft are not platform specific. The same adversary in the middle phishing kits that work against Microsoft sign in flows work against Google just as effectively. OAuth app abuse, session cookie theft, and phishing proxy attacks hit both ecosystems.

Whether you use Microsoft or Google, the question is the same: do you have the right controls in place, or are you relying on a false sense of security?

The Trust Problem

Here is the uncomfortable reality. You cannot fully trust any single tool, vendor, or platform to keep you safe. Cisco trusted Trivy. Thousands of developers trusted GitHub Actions. Our clients trusted that MFA was enough.

Trust in cybersecurity has to be earned continuously, not assumed. It requires layers. It requires verification. And it requires someone actively watching your environment for the signs that something has gone wrong, because by the time you notice on your own, the attacker has usually been inside for days or weeks.

What You Should Do Right Now

These are the concrete steps every business should take, whether you have five employees or fifty.

Eliminate SMS as an MFA method across your organization. Move every user to an authenticator app or hardware security keys. Text message codes can be intercepted through number cloning and SIM swapping, and attackers are actively exploiting this right now.

Implement conditional access policies. If you are on Microsoft 365 Business Premium or E3 licensing, you already have the tools to require sign ins from managed, compliant devices only. This is one of the strongest defenses against token hijacking because even if the attacker steals a session token, they cannot satisfy the device compliance check from their own machine.

Audit your OAuth applications and email rules. After every compromise we remediate, we find rogue apps and hidden forwarding rules that the attacker set up to maintain access. These survive password resets. You need to revoke all active sessions, remove unauthorized applications, and review every inbox rule in the affected account.

Invest in monitoring and automated response. Tools that detect anomalous sign in behavior and automatically lock accounts can cut the time between compromise and containment from days down to seconds. Prevention is the goal, but detection is what saves you when prevention fails.

Review what has access to your environment. Every third party integration, every browser extension, every plugin, every connected app is a potential entry point. If you do not know what is connected to your systems, you cannot secure them. The Cisco breach started with a trusted tool in their build pipeline. Your version of that might be a browser extension, a payroll integration, or an email plugin you forgot you installed.

The Bottom Line

The Cisco breach is not just a story about a big company getting hacked. It is a warning about what happens when you trust without verifying. The attackers did not break through Cisco's front door. They walked in through a tool Cisco invited into their environment.

The same thing is happening to small businesses every week. We see it firsthand. The attacks are real, they are sophisticated, and they are hitting companies that thought they had the basics covered.

If you have not had a security review of your environment in the past year, or if you are not sure whether your MFA, conditional access, and monitoring are properly configured, now is the time. Reach out to us at Northeast Control. We will help you figure out where your gaps are before someone else finds them first.