Featured image

Cisco Discloses Third-Party Breach Impacting Duo MFA Users

This week on MSP Incident Insights, we cover two breaches that MSPs should be monitoring, plus follow-up coverage to our threat briefing on Midnight Blizzard’s attack against Microsoft, which has also impacted the United States government.

What Happened? 

On April 13th, 2024, Cisco Duo, a widely-used Multi-Factor Authentication product, disclosed a social engineering attack involving one of their third-party telephone service providers, which allow users to authenticate vis SMS or VOIP. In an email sent to customers and platforms, the vendor informed customers and partners that the threat actors exfiltrated SMS message logs from March 2024 containing some personally identifiable information and message metadata. 

Key Takeaways

Before the compromise took place, the threat actor launched a phishing attack against the third-party provider to obtain one of their employees’ credentials and achieve unauthorized access. 

On April 1st, 2024, the malicious actor used these stolen credentials to compromise the provider’s internal systems. Using this employee’s privileges, the people responsible were able to download SMS message logs used for MFA from multiple Duo accounts, sent during March 2024. While these logs did not contain any of the content from these MFA messages, they contained:

  • User phone numbers 
  • User telephone carriers 
  • User location data, including country and state
  • Message metadata, including when the message was sent (date and time), and what type of message was sent. 

Once the third-party messaging provider identified a breach, they revoked the employee’s compromised credentials, and launched an investigation into their activity logs, and notified Cisco that users had been impacted. According to Cisco’s advisory, their provider has committed to strengthening their security posture against similar incidents, such as security awareness training for social engineering techniques. 

Why This Matters to MSPs

Due to Duo’s popularity as an MFA solution, this incident may have a widespread impact for MSPs that primarily use Duo’s SMS messages for Multi-Factor Authentication. Moreover, incidents like these demonstrate the growing risk that social engineering attacks pose to end users. 

Action Steps 

CyberQP’s security experts recommend that MSPs using Duo, or SMS or VOIP messages to enable end user authentication take the following action steps:

  • If your MSP uses Duo’s MFA solution, Cisco is sharing copies of exfiltrated message logs affiliated with your MSP’s Duo account. Contact Cisco at [email protected] to see if you and your end users are impacted by this breach and review your messages logs if applicable. 
  • Proactively implement and enforce security awareness training for your end users to mitigate the risks that social engineering and phishing attacks pose to your organization and your clients’ business.
  • Begin transitioning towards dedicated mobile apps for MFA where possible.