April 15, 2024 at 10:58AM
Hackers breached a telephony provider used by Cisco Duo, potentially compromising SMS and VoIP MFA logs. No message contents were accessed, but data like phone numbers and location could be used for phishing. The breach was identified, and security measures have been taken. Customers are urged to be vigilant against potential social engineering attacks.
From the meeting notes, the following takeaways can be summarized:
1. Cisco Duo’s security team reported a cyberattack on their telephony provider, resulting in the theft of some customers’ VoIP and SMS logs used for multi-factor authentication (MFA) messages.
2. The stolen logs contain data such as phone numbers, carrier, location, date, time, and message type, all of which could potentially be used in targeted phishing attacks to gain access to sensitive information.
3. The breach occurred due to the threat actor obtaining employee credentials through a phishing attack, gaining access to the telephony provider’s systems.
4. While the threat actor did not access the content of the messages or use their access to send messages to customers, customers are warned to be vigilant against potential SMS phishing or social engineering attacks using the stolen information.
5. The telephony provider invalidated the compromised credentials, analyzed activity logs, and implemented additional security measures to prevent similar incidents in the future.
6. Cisco Duo is actively working with the provider to investigate and address the incident. The vendor provided Cisco with all of the exposed message logs to help better understand the scope of the breach, its impact, and the appropriate defense strategy to take.
7. The FBI had previously warned about threat actors using SMS phishing and voice calls in social engineering attacks to breach corporate networks, indicating a broader trend in such attacks.
8. In terms of precedent, Uber was previously breached after a threat actor performed an MFA fatigue attack on an employee and then used social engineering tactics to gain access to the company’s systems.
9. Cisco has not disclosed the supplier’s name and the number of customers impacted by this incident.
This summary encapsulates the key points from the meeting notes regarding the cyberattack on Cisco Duo’s telephony provider and the potential impact on customers using their MFA services.