Cisco Duo customers may have had VoIP and SMS MFA logs exposed to an attacker in early April. The authentication service, which has about 100,000 customers, reports that an unspecified vendor was hit in a third party data breach on the first of the month and lost message logs for specific customers generated during the month of March.
Cisco Duo said that about 1% of its customers, or somewhere in the neighborhood of 1,000, are impacted by the breach and are being notified directly by the company. A third party data breach is somewhat unusual for Cisco, which is usually fending off vulnerabilities discovered in its routers.
Cisco declines to name provider involved with third party breach
While Cisco has yet to name the service provider that was attacked, the company said that the third party breach is the result of one of the provider’s employees being phished. The attackers then seemed to target the MFA logs of specific clients of interest, though they declined to provide any information on exactly who was victimized.
The attackers did not gain access to customer messages, but the logs obtained in the third party breach provide detailed information on client MFA devices that will likely be put to use in further targeted spearphishing or SIM swap attempts. The logs that the attackers stole include the phone numbers, location data (possibly limited to country and state), carrier name, dates, times and message types of the verification messages that employees receive.
The victim of the third party breach was only described as a telephony supplier that sends out Duo MFA messages via SMS and VOIP to recipients in North America. A statement from Cisco indicated that this provider implemented mitigation measures upon discovering the breach and has rolled out new technical measures and employee training to harden itself against future social engineering attempts.
MFA log theft will almost certainly be leveraged for “smishing,” SIM swap attempts on clients
The third party breach of Cisco Duo continues something of a trend in recent years, in which criminals have successfully bet that the employees of security-focused authentication services will be just as likely to fall for phishing or social engineering scams as at any other type of company. In late 2023, Okta was forced to admit that a prior breach impacted 100% of its customers that had contacted customer support; that attack similarly provided the hackers with customer data useful in launching more targeted scam attempts. And in mid-2023, a targeted password spray attack compromised a legacy Microsoft test account with far-reaching access, ultimately enabling the state-backed attackers (believed to be Chinese) to walk into essentially any Office 365 Exchange Online email account.
There is not yet any public information about the attackers behind the Cisco third party breach, but they now have access to a convenient list of employee phone numbers at some 1,000 companies that can be used for MFA authentication. That could mean SIM swap approaches, something that has been on a sharp increase as of late. Earlier this week, reports came out that both T-Mobile and Verizon employees are regularly being approached by cyber criminals that claim to have access to company employee directories. In the case of T-Mobile, employees have been offered $300 per SIM swap that they execute for the criminals. Some carriers, these two included, offer a “SIM protection” or “SIM lock” service that can make it more difficult for attackers to pull off such an attack by adding extra steps to the process, but it is generally off by default and must be manually enabled by the customer.
The attackers will almost certainly use the stolen logs to attempt “smishing” attacks on these numbers, or targeted phishing conducted entirely by SMS text message. It is a fairly standard phishing attempt that involves tricking the victim into clicking on a malicious link, but has one of the higher rates of success of social engineering scams due to reduced security awareness about text message spam. Attackers also sometimes make use of “MFA fatigue” by relentlessly sending many of these messages over an extended period, hoping the target will eventually click on a link just to make them stop. It is also generally easier to spoof the source of a SMS message to make it look legitimate than it is to do the same with an email. And attackers often add pressure by pretending to be a manager or executive from the same company, leaning on a targeted employee to immediately perform some sort of task.
Jeff Margolies, Chief Product & Strategy Officer at Saviynt, notes that this trend of “upstream” attacks on security services providers is a phenomenon that organizations must make their employees aware of: “There are two interesting trends in the Cisco Duo attack. This is yet another attack on Identity Security providers, showing that threat actors are recognizing and attacking this key part of the security architecture. The second is how the attackers took advantage of a third party, or in this case a fourth party, which shows how important third-party security is becoming for enterprises.”
Jamie Beckland, Chief Product Officer at API Context, notes that these attacks should not be expected to slow down given how valuable this access is to cyber criminals: “Authentication providers are rich targets for bad actors because if a hacker compromises credentials, the API transactions appear legitimate. The Cisco Duo attack also took advantage of their telephony supplier. This highlights the need for digital product owners to have a deep understanding of their API suppliers, Cisco Duo’s customers may not have been aware that they are reliant on a third party telephony vendor. Tracking API suppliers in real time is crucial for rapid response to security issues.”