Cisco Duo is a multi-factor authentication and Single Sign-On service used by corporations to provide secure access to internal networks and corporate applications. About 1% of the Cisco Duo MFA and single sign-on provider’s business customers were impacted by a breach.
It was reported that a third-party telephony service provider for Cisco Duo fell prey to social engineering, and the company advised customer vigilance against subsequent phishing attacks.
Cisco Duo has more than 100,000 customers globally, and, following the breach, roughly 1,000 of those business customers are now at risk, according to Cisco’s assessment.
“Cisco is actively working with the supplier to investigate and address the incident,” a company spokesperson said.
The attacker exfiltrated message logs containing phone numbers, carrier information, geographic data, and the date, time, and type of message sent.
Cisco said impacted customers can request a copy of the message logs stolen by the attacker.
MFA and single-sign on providers are regularly targeted by cybercriminals.
What Should I Do To Protect My Duo?
There are a few things you can do to protect your organization's Duo users:
1. Contact Duo
If you believe you have been affected by the breach, Duo encourages you to contact them at msp@duo.com. Duo's third-party provider has given Duo a copy of the stolen message logs, and Duo will provide you with a copy of any logs pertaining to your organization.
2. Train your users to be vigilant
Cisco Duo advises their customers to "be vigilant and report any suspected social engineering attacks" and "consider educating your users on the risks posed by social engineering attacks and investigating any suspicious activity". Indeed, proactive training is a critical part of any security strategy.
3. Move away from SMS/voice-based MFA
SMS and VOIP technologies were never built to be security tools. They're communications protocols, pure and simple. Any authentication process that relies on them is easily exploitable, as countless breaches like this one demonstrate every week.
As many Redditors have pointed out in the r/MSP thread, multi-factor authentication via text message or phone call is not secure. Security-conscious companies are already moving to phishing-resistant MFA via biometrics, automated visual verification, or physical security key.
4. Protect your MFA reset process
MFA resets are a notoriously popular vector for account takeovers. Bad actors like Scattered Spider exploit insecure verification methods (including SMS and VOIP messages) to reset MFA tokens, then register a new device so they can send MFA codes to one they control.
Some companies require their users to call the IT helpdesk to reset their MFA. But this leads to agents being overwhelmed by lengthy, frustrating MFA reset tickets. This also leaves your helpdesk vulnerable to the social engineering attacks that Scattered Spider is so good at. We wrote about this risk in one of our information sharing bulletins here.
In summary, bad actors are attempting everyday to hack your systems, steal your information and the best protections is training, monitoring of your systems, and being proactive. Reach out to us if you have any questions about how best to protect your company.
References:
BleepingComputer.com. (15 April, 2024) Cisco Duo warns third-party data breach exposed SMS MFA logs. https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-data-breach-exposed-sms-mfa-logs/
How can CyberForce|Q services help you address this risk?
Incident Response is a time-based situation and CyberForce|Q can assist with a potential incident in your environment. Our experienced Incident Response Team can be deployed 24x7x365 – reach out to solutions@cyberforceq.com.
Learn more about CyberForce|Q.