Cisco Duo SMS Logs Exposed in Third-Party Data Breach

Cisco Duo is warning that a data breach involving one of its third-party telephony providers may have comprised multi-factor authentication (MFA) messages sent to customers via SMS and VOIP. 

The breach which hit one of Duo’s Telephony suppliers on April 1, is believed to have exposed breach exposed phone numbers, phone carriers, metadata and other MFA SMS logs that could lead to phishing and social engineering attacks.

“It is our understanding that a threat actor gained access to the provider’s internal systems, on April 1, 2024, using a Provider employee’s credentials that the threat actor illicitly obtained through a phishing attack and used that access to download a set of MFA SMS message logs pertaining to your Duo account,” a breach notice to impacted Cisco customers explains. 

“The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.).” reads the data breach notification send to the impacted individuals."

 “The Provider confirmed that the threat actor did not download or otherwise access the content of any messages or use their access to the Provider’s internal systems to send any messages to any of the numbers contained in the message logs,” the notice continued. 

Phishing Risk for Cisco Duo Customers 

The breached telephony provider confirmed the threat actors behind the attack did not download or otherwise access the content of any messages or use their access to send any messages to any of the numbers in the message logs. 

However, the stolen message logs do contain data that could be used in targeted phishing attacks to gain access to sensitive information, such as employee credentials. This data includes corporate phone numbers, carriers, location data, dates and times and message types.

The company assured that copies of the stolen message logs would be available upon request for customers with affected Duo accounts to demonstrate this. Luckily, when the impacted provided discovered the breach, they invalidated the compromised credentials, analyzed activity logs, and notified Cisco accordingly. 

The company also provided Cisco Duo with all of the exposed message logs, which can be requested by emailing msp@duo.com to help better understand the scope of the breach, its impact, and the appropriate defence strategy to take.

“Because the threat actor obtained access to the message logs through a successful social engineering attack on the Provider, please contact your customers with affected users whose phone numbers were contained in the message logs to notify them, without undue delay, of this event and to advise them to be vigilant and report any suspected social engineering attacks to the relevant incident response team or other designated point of contact for such matters, the notice.

"Please also consider educating your users on the risks posed by social engineering attacks and investigating any suspicious activity."

SMS Phishing on the rise

The attacks come as cybersecurity experts and national security organizations, including the FBI, warn that threat actors are increasingly using smishing and vishing attacks to breach corporate networks.

MFA is a strong security measure that adds an extra layer of protection beyond just a password. As more and more organizations and services adopt MFA, attackers are naturally going to target it.

Read: Most Common Cyber Attacks and How to Defend Against Them

In 2022, Uber was breached after a threat actor performed an MFA fatigue attack on an employee and then contacted them on WhatsApp via their phone numbers, pretending to be IT help desk personnel.

This tactic involved bombarding a user with MFA login requests until they become annoyed and approve one without properly checking the details. Attackers might even use social engineering to trick the user into approving a request.