Cisco Duo warned its customers that threat actors recently compromised the internal systems of an anonymous carrier and were able to access a series of SMS logs used for its multi-factor authentication (MFA) service.
Duo is Cisco's MFA and single sign-on (SSO) platform, acquired in 2018, and is used by organizations to manage access to a wide range of protected systems.
Cisco's data privacy and incident response team issued an alert on April 15, 2024, warning customers that the provider it uses to send MFA messages over SMS and Voice over Internet Protocol (VOIP) had been breached. ).
According to the alert, attackers were able to access the internal systems of an anonymous third party on April 1, 2024, using employee credentials obtained through a phishing attack.
The threat actor then used this access to download a set of logs of SMS messages sent to users between March 1, 2024 and March 31, 2024.
Cisco warning It did not reveal the name of the supplier in question or the number of customers affected by the incident, but with more than 100,000 customers, this incident could affect thousands.
The attacked phone provider confirmed to Cisco that the attackers were unable to download or view the content of the messages, but the logs still revealed sensitive information.
The data accessed contained users' phone numbers, carrier information, general location data, as well as the date and time of the message. Attackers could use this information to orchestrate a broader social engineering campaign on affected Duo customers, Cisco warned.
Cisco added that the vendor has provided it with a copy of the message logs obtained by the threat actor, which will be provided to customers upon request.
To request a copy of these message logs, or for further assistance, Duo customers should contact msp@duo.com.
Customers should beware of new social engineering attacks
Cisco said the vendor immediately launched an investigation into the incident as soon as it became aware of the breach, implementing a number of mitigation measures.
The first of these steps was to invalidate the affected credentials and analyze the activity logs, as well as notify Cisco of the incident.
The vendor also said it would update its security posture to ensure similar incidents do not occur again, including technical measures to reduce the risk of social engineering attacks compromising an endpoint. It would also require its staff to receive more social engineering awareness training.
Due to the nature of the data accessed by threat actors, Cisco's incident response team advised companies to contact their customers with a list of those affected as soon as possible.
Cisco emphasized that the information exposed in the breach could be used to orchestrate further social engineering attacks on Duo customers, and that any suspected attacks should be reported to relevant teams.
