Cisco Duo’s safety crew warns that hackers stole some clients’ VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony supplier.
Cisco Duo is a multi-factor authentication and Single Signal-On service utilized by firms to offer safe entry to inner networks and company purposes.
Duo’s homepage reports that it serves 100,000 clients and handles over a billion authentications month-to-month, with over 10,000,000 downloads on Google Play.
In emails despatched to clients, Cisco Duo says an unnamed supplier who handles the corporate’s SMS and VOIP multi-factor authentication (MFA) messages was compromised on April 1, 2024.
The discover explains {that a} risk actor obtained worker credentials by means of a phishing assault after which used these credentials to realize entry to the telephony supplier’s methods.
The intruder then downloaded SMS and VoIP MFA message logs related to particular Duo accounts between March 1, 2024, and March 31, 2024.
“We’re writing to tell you of an incident involving one in every of our Duo telephony suppliers (the “Supplier”) that Duo makes use of to ship multifactor authentication (MFA) messages by way of SMS and VOIP to its clients,” reads the notice sent to impacted customers.
“Cisco is actively working with the Supplier to research and handle the incident. Whereas the investigation is ongoing, the next is a abstract of the incident primarily based on what we now have realized so far.”
The supplier confirmed that the risk actor didn’t entry any contents of the messages or use their entry to ship messages to clients.
Nonetheless, the stolen message logs do comprise knowledge that may very well be utilized in focused phishing assaults to realize entry to delicate info, comparable to company credentials.
The info contained in these logs contains an worker’s:
- Cellphone quantity
- Service
- Location knowledge
- Date
- Time
- Message sort
When the impacted provider found the breach, they invalidated the compromised credentials, analyzed exercise logs, and notified Cisco accordingly. Further safety measures have been additionally carried out to stop comparable incidents sooner or later.
The seller supplied Cisco Duo with all the uncovered message logs, which might be requested by emailing msp@duo.com to assist higher perceive the scope of the breach, its impression, and the suitable protection technique to take.
Cisco additionally warns clients impacted by this breach to be vigilant towards potential SMS phishing or social engineering assaults utilizing the stolen info.
“As a result of the risk actor obtained entry to the message logs by means of a profitable social engineering assault on the Supplier, please contact your clients with affected customers whose telephone numbers have been contained within the message logs to inform them, with out undue delay, of this occasion and to advise them to be vigilant and report any suspected social engineering assaults to the related incident response crew or different designated level of contact for such issues,” concludes the notification from Cisco’s Knowledge Privateness and Incident Response Group.
“Please additionally contemplate educating your customers on the dangers posed by social engineering assaults and investigating any suspicious exercise.”
The FBI warned last year that risk actors have been more and more utilizing SMS phishing and voice calls in social engineering assaults to breach company networks.
In 2022, Uber was breached after a risk actor carried out an MFA fatigue assault on an worker after which contacted them on WhatsApp by way of their telephone numbers, pretending to be IT assist desk personnel. This finally led to the goal permitting the hackers to log into the account and acquire entry to Uber’s methods.
Cisco has not disclosed the provider’s title and the variety of clients impacted by this incident. BleepingComputer contacted Cisco with additional questions however a reply was not instantly accessible.
