Cisco Duo MFA Third-Party Service Provider Breached, SMS Logs Stolen
A third-party telephony provider of Cisco suffered a breach wherein they hacked into and downloaded message logs for authentication SMS messages sent for Duo Security. The stolen data puts customers at risk of social engineering attacks to trick them into revealing credentials, carrying out financial fraud, etc.
- A third-party telephony provider of Cisco suffered a breach wherein they hacked into and downloaded message logs for authentication SMS messages sent for Duo Security.
- The breach took place on April 1, 2024.
The Cisco Data Privacy and Incident Response Team notified customers on Monday of a breach at one of the Duo telephony suppliers. Cisco said that the attackers, who gained access to the third-party provider’s systems through stolen credentials in a phishing attack, later downloaded multifactor authentication (MFA) SMS message logs pertaining to some Duo accounts.
Cisco revealed that the unknown attacker now has message logs for SMS messages sent between March 1, 2024, and March 31, 2024. The logs include phone numbers, phone carriers, countries, the state to which messages were sent, and metadata, including the date and time of the message, type of message, and more.
The stolen data puts customers at risk of social engineering attacks to trick them into revealing credentials, carrying out financial fraud, etc. “A common use case for MFA solutions is to send a text message to a user/consumer to verify an online attempt to log in,” Jim Routh, chief trust officer at Saviynt, told Spiceworks News & Insights over email.
“The effectiveness of this option is the SMS message, which is typically accessed on a mobile device independent of the original device. In this case, the SMS messages themselves were compromised and extracted by a (threat actor) criminal. This makes it easier for the threat actor to reverse engineer information to target the user/consumer using a customized phishing lure.”
The unnamed third party provides Cisco with MFA message-sending services via SMS and VOIP. “The Provider has provided us with a copy of the message logs pertaining to your Duo account that the threat actor obtained, and we will provide you with a copy of those logs upon request,” Cisco noted.
Acquired by Cisco in 2018 for $2.35 billion, Duo has over 100,000 users using its MFA services on more than 170,000 devices across 98 countries.
See More: Home Depot Data Compromised Through Third-Party SaaS Misconfiguration
Jeff Margolies, chief product & strategy officer at Saviynt, opined:
“There are two interesting trends in the Cisco Duo attack. This is yet another attack on Identity Security providers, showing that threat actors are recognizing and attacking this key part of the security architecture. The second is how the attackers took advantage of a third party, or in this case a fourth party, which shows how important third-party security is becoming for enterprises.”
Cisco’s third-party telephony provider invalidated the phished employee’s credentials after discovering the breach.
The FBI’s Internet Crime Complaint Center (IC3) reported in its Internet Crime Report 2023 that phishing is the most complained-about cybercrime type, with 298,878 complaints in 2023 (down 6.93% versus 2022), and is responsible for losses of more than $18.72 million.
“Authentication providers are rich targets for bad actors because if a hacker compromises credentials, the API transactions appear legitimate. The Cisco Duo attack also took advantage of their telephony supplier,” Jamie Beckland, chief product officer at API Context, told Spiceworks.
“This highlights the need for digital product owners to have a deep understanding of their API suppliers, Cisco Duo’s customers may not have been aware that they are reliant on a third-party telephony vendor. Tracking API suppliers in real time is crucial for rapid response to security issues.”
How can third-party risk be minimized? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock