Cisco Duo MFA logs exposed in third-party data breach
Cyber attack on an unnamed supplier for Cisco Duo’s SMS and VOIP multifactor authentication service exposes sensitive customer data used across internal networks and corporate apps
Cisco Duo has warned customers that threat actors recently compromised the internal systems of an unnamed telephony provider, and were able to access a series of SMS logs used for its multi-factor authentication (MFA) service.
Duo is Cisco’s MFA and single sign-on (SSO) platform, acquired in 2018, and is used by organizations to manage access to a wide range of protected systems.
The Cisco Data Privacy and Incident Response Team issued an alert on 15 April 2024, warning customers the provider it uses to send MFA messages via SMS and voice over internet protocol (VOIP) was breached.
The attackers were able to access an unnamed third party’s internal systems on 1 April 2024, using employee credentials obtained through a phishing attack, according to the alert.
The threat actor then used this access to download a set of SMS message logs sent to users between 1 March 2024 and 31 March 2024.
Cisco’s notice did not disclose the name of the provider in question, nor did it reveal the number of customers impacted by the incident, but with over 100,000 customers, this incident could impact thousands.
The breached telephone provider confirmed to Cisco the attackers were not able to download or see the content of the messages, but the logs did reveal sensitive information nonetheless.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The data accessed contained users’ phone numbers, carrier information, general location data, as well as the date and time of the message. This information could be used by the attackers to orchestrate a wider social engineering campaign on affected Duo customers, Cisco warned.
Cisco added that the provider supplied it with a copy of the message logs the threat actor obtained, which will be provided to customers upon request.
To request a copy of these message logs, or for any further support, Duo customers should contact msp@duo.com.
Customers should beware of further social engineering attacks
Cisco said the provider immediately launched an investigation into the incident as soon as it was aware of the breach, implementing a series of mitigation measures.
The first of these steps was to invalidate the affected credentials and analyze activity logs, as well as notifying Cisco of the incident.
The provider also said it would be refreshing its security posture, to ensure similar incidents do not happen again, including technical measures to reduce the risk of social engineering attacks compromising an endpoint. It would also be requiring its staff undergo further social engineering awareness training.
Due to the nature of the data accessed by the threat actors, Cisco’s incident response team advised businesses to contact their customers with a list of who was affected as soon as possible.
Cisco stressed that the information exposed in the breach could be used to orchestrate further social engineering attacks on Duo customers, and that any suspected attacks should be reported to the relevant teams.
Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.