Rise in 3rd party risks and the security-challenges
a wakeup call ?
In mid-April 2024, Cisco Duo, a leading provider of multi-factor authentication (MFA)
and single sign-on solutions, disclosed a security breach involving one of its third-party
telephony providers. This provider is responsible for managing SMS and VoIP
services crucial to Duo’s MFA system.
The Incident
On April 1, 2024, an attacker successfully executed a phishing campaign against the
telephony provider, resulting in the acquisition of employee credentials. Armed with
these credentials, the attacker infiltrated the provider’s systems and accessed logs of
SMS and VoIP MFA messages sent to specific Duo accounts during March 2024.
What Was Compromised?
Although the actual content of the MFA messages remained secure, the attacker managed to extract metadata from the logs. This metadata included sensitive information such as:
- Phone numbers
- Carrier details
- Geographic locations
- Dates and times of messages
- Types of messages
Potential Risks
The compromised metadata poses significant risks, primarily due to its potential use in targeted phishing or social engineering attacks. With detailed information about Duo users, attackers could craft highly convincing phishing schemes to deceive users into divulging even more sensitive information.
But Leaked Logs are Harmless, Right?
Not quite. According to Cloudflare, mobile numbers are considered Personally Identifiable Information (PII). While it’s unclear whether this breach will attract penalties
from regulatory authorities, it’s important to note that threat actors can potentially exploit this data.A prime example is the “Scattered Spider” group, which was coincidentally tracked by
Kitecyber researchers. This notorious threat actor is infamous for creating phishing
pages and targeting users with malicious text messages. [You can learn more here]. This breach could potentially place unsuspecting users in harm’s way, exposing them to sophisticated phishing attacks and other forms of cyber exploitation.
Response and Mitigation
Upon detecting the breach, the telephony provider promptly invalidated the stolen
credentials and reinforced their security protocols. Cisco Duo was notified and
subsequently informed the affected customers, urging them to be extra vigilant against possible phishing attempts leveraging the exposed metadata.
Cisco rightly emphasized the importance of user education on recognizing social engineering tactics and recommended considering more secure MFA methods beyond SMS and voice-based systems.
Cisco rightly emphasized the importance of user education on recognizing social engineering tactics and recommended considering more secure MFA methods beyond SMS and voice-based systems.
Conclusion
This breach serves as a stark reminder of the complexities and risks inherent in digital
security, further compounded by the interdependence of third and fourth-party providers within the digital infrastructure.
The choices are clear: rely on user education and hope for the best, or implement a
robust security layer as part of a comprehensive defense-in-depth strategy. Don’t leave
your security to chance. If you’re interested in strengthening your defenses against this
ongoing threat, talk to us to learn more about adding this crucial security layer.
Visit our product website to learn more, schedule a demo, or sign up for a free 14-day trial: App Shield