Cisco Duo’s security group warns that hackers stole some clients’ VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony supplier.
Cisco Duo is a multi-factor authentication and Single Signal-On service utilized by companies to supply safe entry to inside networks and company purposes.
Duo’s homepage reviews that it serves 100,000 clients and handles over a billion authentications month-to-month, with over 10,000,000 downloads on Google Play.
In emails despatched to clients, Cisco Duo says an unnamed supplier who handles the corporate’s SMS and VOIP multi-factor authentication (MFA) messages was compromised on April 1, 2024.
The discover explains {that a} menace actor obtained worker credentials by means of a phishing assault after which used these credentials to achieve entry to the telephony supplier’s programs.
The intruder then downloaded SMS and VoIP MFA message logs related to particular Duo accounts between March 1, 2024, and March 31, 2024.
“We’re writing to tell you of an incident involving certainly one of our Duo telephony suppliers (the “Supplier”) that Duo makes use of to ship multifactor authentication (MFA) messages by way of SMS and VOIP to its clients,” reads the discover despatched to impacted clients.
“Cisco is actively working with the Supplier to analyze and tackle the incident. Whereas the investigation is ongoing, the next is a abstract of the incident based mostly on what we now have discovered thus far.”
The supplier confirmed that the menace actor didn’t entry any contents of the messages or use their entry to ship messages to clients.
Nevertheless, the stolen message logs do comprise knowledge that might be utilized in focused phishing assaults to achieve entry to delicate info, reminiscent of company credentials.
The information contained in these logs contains an worker’s:
- Cellphone quantity
- Provider
- Location knowledge
- Date
- Time
- Message kind
When the impacted provider found the breach, they invalidated the compromised credentials, analyzed exercise logs, and notified Cisco accordingly. Further security measures had been additionally applied to forestall comparable incidents sooner or later.
The seller supplied Cisco Duo with all the uncovered message logs, which could be requested by emailing msp@duo.com to assist higher perceive the scope of the breach, its influence, and the suitable protection technique to take.
Cisco additionally warns clients impacted by this breach to be vigilant towards potential SMS phishing or social engineering assaults utilizing the stolen info.
“As a result of the menace actor obtained entry to the message logs by means of a profitable social engineering assault on the Supplier, please contact your clients with affected customers whose telephone numbers had been contained within the message logs to inform them, with out undue delay, of this occasion and to advise them to be vigilant and report any suspected social engineering assaults to the related incident response group or different designated level of contact for such issues,” concludes the notification from Cisco’s Data Privateness and Incident Response Staff.
“Please additionally contemplate educating your customers on the dangers posed by social engineering assaults and investigating any suspicious exercise.”
The FBI warned final yr that menace actors had been more and more utilizing SMS phishing and voice calls in social engineering assaults to breach company networks.
In 2022, Uber was breached after a menace actor carried out an MFA fatigue assault on an worker after which contacted them on WhatsApp by way of their telephone numbers, pretending to be IT assist desk personnel. This ultimately led to the goal permitting the hackers to log into the account and achieve entry to Uber’s programs.
Cisco has not disclosed the provider’s identify and the variety of clients impacted by this incident. BleepingComputer contacted Cisco with additional questions however a reply was not instantly accessible.
