Cisco Duo has warned customers that threat actors recently compromised the internal systems of an unnamed telephony provider, and were able to access a series of SMS logs used for its multi-factor authentication (MFA) service.
Duo is Cisco’s MFA and single sign-on (SSO) platform, acquired in 2018, and is used by organizations to manage access to a wide range of protected systems.
The Cisco Data Privacy and Incident Response Team issued an alert on 15 April 2024, warning customers the provider it uses to send MFA messages via SMS and voice over internet protocol (VOIP) was breached.
The attackers were able to access an unnamed third party’s internal systems on 1 April 2024, using employee credentials obtained through a phishing attack, according to the alert.
The threat actor then used this access to download a set of SMS message logs sent to users between 1 March 2024 and 31 March 2024.
Cisco’s notice did not disclose the name of the provider in question, nor did it reveal the number of customers impacted by the incident, but with over 100,000 customers, this incident could impact thousands.
The breached telephone provider confirmed to Cisco the attackers were not able to download or see the content of the messages, but the logs did reveal sensitive information nonetheless.
The data accessed contained users’ phone numbers, carrier information, general location data, as well as the date and time of the message. This information could be used by the attackers to orchestrate a wider social engineering campaign on affected Duo customers, Cisco warned.
Cisco added that the provider supplied it with a copy of the message logs the threat actor obtained, which will be provided to customers upon request.
To request a copy of these message logs, or for any further support, Duo customers should contact msp@duo.com.
Customers should beware of further social engineering attacks
Cisco said the provider immediately launched an investigation into the incident as soon as it was aware of the breach, implementing a series of mitigation measures.
The first of these steps was to invalidate the affected credentials and analyze activity logs, as well as notifying Cisco of the incident.
RELATED WEBINAR
The provider also said it would be refreshing its security posture, to ensure similar incidents do not happen again, including technical measures to reduce the risk of social engineering attacks compromising an endpoint. It would also be requiring its staff undergo further social engineering awareness training.
Due to the nature of the data accessed by the threat actors, Cisco’s incident response team advised businesses to contact their customers with a list of who was affected as soon as possible.
Cisco stressed that the information exposed in the breach could be used to orchestrate further social engineering attacks on Duo customers, and that any suspected attacks should be reported to the relevant teams.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Cisco claims new smart switches provide next-level perimeter defenseNews Cisco’s ‘security everywhere’ mantra has just taken on new meaning with the launch of a series of smart network switches.
-
Cisco is jailbreaking AI models so you don’t have to worry about itNews Cisco's new AI Defense security solution helps organizations shore up LLM security by identifying potential flaws.
-
Cisco dispels Kraken data breach claims, insists stolen data came from old attackNews Cisco has refuted claims it has suffered a data breach after the Kraken threat group posted stolen data online.
-
Cisco patches critical flaws in Identity Services EngineNews Cisco has issued patches for a pair of critical vulnerabilities affecting its Identity Service Engine (ISE).
-
Your office is now absolutely riddled with surveillance equipmentNews While workplace monitoring is shown to have a detrimental effect on morale, many firms are still charging ahead
-
Cisco confirms attackers stole data, shuts down access to compromised DevHub environmentNews The tech giant insists that no sensitive customer information has been compromised
-
Cisco confirms investigation amid data breach claimsNews The networking giant says its probe is ongoing amid claims a threat actors accessed company data
-
Rubrik partners with Cisco to bolster cyber resilience
News Rubrik now integrates with Cisco XDR and is listed on the connectivity giant’s SolutionsPlus program
