Cisco Duo provider breached, SMS MFA logs compromised

Hackers have managed to compromise a telephony provider for Duo, the Cisco-owned company providing secure access solutions, and steal MFA (multi-factor authentication) SMS message logs of Duo customers.

Duo compromise MFA SMS

About the attack

The unnamed provider – one of two that Duo uses – was breached via compromised/phished employee credentials, which allowed the attackers to gain access to the company’s internal systems on April 1, 2024.

“The threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024,” the Cisco Data Privacy and Incident Response Team notified its MSP (managed service provider) partners.

“The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.).”

The breached provider says the attackers did not use the access to send any messages to any of the numbers contained in the message logs.

Potential repercussions

Unfortunately, the accessed/exfiltrated logs provide enough information to target users through spear-phishing messages, emails and voice phishing.

The affected provider has shared a copy of the compromised message logs and MSPs can request them from Duo.

“Please contact your customers with affected users whose phone numbers were contained in the message logs to notify them, without undue delay, of this event and to advise them to be vigilant and report any suspected social engineering attacks to the relevant incident response team or other designated point of contact for such matters,” the Cisco team advised.

“Please also consider educating your users on the risks posed by social engineering attacks and investigating any suspicious activity.”

Cybercriminals groups like Lapsus$ and Scattered Spider are infamous for breaching companies via phishing messages, MFA prompt bombing, and fake single sign-on (SSO) pages.

Cisco was breached with similar tactics in 2022.

Don't miss