Cisco, a prominent technology company, recently issued a warning to its customers regarding a breach in its multifactor authentication (MFA) system. Here’s a simplified breakdown of what happened and what it means for you.
What Happened at Cisco?
On April 1, 2024, a threat actor breached the system of a telephony supplier that Cisco’s subsidiary, Duo, uses to send MFA messages through texts and phone calls.
The breach unfolded on April 1, 2024, when a threat actor successfully infiltrated the infrastructure of a telephony supplier utilized by Duo, a subsidiary of Cisco. This telephony supplier serves as a crucial intermediary for Duo’s multifactor authentication (MFA) messaging system, responsible for delivering security codes via SMS messages and phone calls to Duo’s customers.
The threat actor’s intrusion likely originated from a combination of sophisticated tactics, potentially including social engineering and exploiting vulnerabilities in the telephony supplier’s systems. Social engineering methods, such as phishing attacks, may have been employed to deceive an employee into disclosing sensitive login credentials or other access information. Once armed with these credentials, the threat actor gained illicit entry into the telephony supplier’s internal networks, paving the way for further exploitation and data exfiltration.
Upon gaining unauthorized access, the threat actor specifically targeted data related to Duo’s MFA messaging service. This included retrieving logs containing information about SMS messages sent to users under Duo accounts during a specific timeframe. While the content of the messages was not accessed, the logs contained crucial metadata, including phone numbers, carriers, countries, and states. Such information could potentially be leveraged for further malicious activities or exploitation, posing significant risks to affected individuals and organizations relying on Duo’s MFA services for enhanced security.
How It Happened
The attacker gained access to the telephony supplier’s internal systems using an employee’s credentials obtained through a phishing attack.
What Information Was Accessed
The threat actor downloaded a set of MFA SMS message logs related to Duo accounts. These logs contained phone numbers, carriers, countries, states, and other metadata. However, they did not contain the content of the messages.
Actions Taken
Once discovered, the telephony supplier canceled the compromised credentials and analyzed activity logs before notifying Cisco. Cisco’s Data Privacy and Incident Response Team is investigating the incident.
What You Can Do
If you’re a customer of Duo or Cisco, you can request a copy of the message logs for your account. Additionally, stay vigilant for any suspicious activity related to your MFA messages.
Potential Impact
It’s unclear how many people were affected by the breach or which provider was attacked. However, Duo serves over 40,000 customers, including government agencies, school districts, and major companies like Lyft and Yelp.
Expert Insights
Cybersecurity experts, including Jeff Margolies from Saviynt, warn that this incident highlights the growing trend of threat actors targeting critical parts of security infrastructure through third-party providers. It underscores the importance of robust security measures and continuous monitoring to mitigate such risks.
Conclusion
While the breach is concerning, it’s essential to remain proactive in safeguarding your online accounts and sensitive information. Keep an eye on updates from Cisco and Duo regarding the incident, and take necessary precautions to protect your digital assets.
