Cisco Duo’s security team has issued a warning regarding a cyberattack that compromised some customers’ VoIP and SMS logs, potentially exposing sensitive information used for multi-factor authentication (MFA) messages. This Cisco Duo data breach, occurring through their telephony provider, highlights the persistent threat posed by cybercriminals targeting communication channels vital for security measures.
Cisco Duo, a prominent multi-factor authentication and Single Sign-On service utilized by numerous corporations for secure network access found itself at the center of a cybersecurity incident.
The Cisco Duo data breach, which occurred on April 1, 2024, involved the illicit access of employee credentials through a phishing attack. Subsequently, the threat actor leveraged these credentials to infiltrate the systems of a telephony provider responsible for handling SMS and VoIP MFA messages.
Impact on Customers of Cisco Duo Data Breach
Affected customers received notifications revealing that SMS and VoIP MFA message logs associated with specific Duo accounts were compromised between March 1, 2024, and March 31, 2024.
While the stolen logs did not include message content, they contained valuable metadata such as phone numbers, carriers, locations, and timestamps. This information could potentially be weaponized in targeted phishing attacks aimed at obtaining corporate credentials and other sensitive data.
“We are writing to inform you of an incident involving one of our Duo telephony suppliers (the “Provider”) that Duo uses to send multifactor authentication (MFA) messages via SMS and VOIP to its customers. Cisco is actively working with the Provider to investigate and address the incident,” reads the notice released by Cisco Duo.
Upon discovering the breach, the telephony provider swiftly initiated an investigation and implemented mitigation measures. These efforts included invalidating compromised credentials, analyzing activity logs, and notifying Cisco Duo of the incident. Additionally, the provider enhanced security protocols and committed to reinforcing employee awareness through social engineering training programs.
Customer Assistance and Vigilance
In response to the data breach, Cisco Duo offers affected customers access to the compromised message logs upon request. They advise customers to promptly notify impacted users and educate them about the risks of social engineering attacks. Heightened vigilance is encouraged, with users urged to report any suspicious activity to designated incident response teams or relevant points of contact.
“The Provider has provided us with a copy of the message logs pertaining to your Duo account that the threat actor obtained, and we will provide you with a copy of those logs upon request. To request such a copy, or if you have any questions, please contact [email protected],” reads the notice further.
“Because the threat actor obtained access to the message logs through a successful social engineering attack on the Provider, please contact your customers with affected users whose phone numbers were contained in the message logs to notify them, without undue delay, of this event and to advise them to be vigilant and report any suspected social engineering attacks to the relevant incident response team or other designated point of contact for such matters,” Cisco Duo requested employees.
The Cyber Express team, while investigating the breach reached out to Cisco Duo to learn more about the cyber incident, however, as of writing this news report, the company’s official response has not been revived.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
