On 16 April 2024, Cisco Duo informed affected customers of a breach involving their SMS and VOIP multi-factor authentication (MFA) service provider. The breach occurred on 1 April due to a phishing attack, allowing unauthorised access to the provider’s systems, including SMS and VoIP MFA message logs for specific Duo accounts between 1 March and 31 March, 2024. Though the threat actor accessed message logs, they did not obtain message content. The exposed data included phone numbers, carriers, location data, and timestamps, potentially enabling targeted phishing campaigns.
Recommendations
Recommendation #1: Obtain Message Logs if Impacted
Cisco Duo has stated that impacted customers can reach out to obtain a copy of the stolen message logs. Arctic Wolf recommends obtaining a copy of these logs in order to understand the impact of this compromise to your organisation.
Notify impacted users and ensure they remain vigilant, reporting any suspected social engineering or other similar attacks to the appropriate security team.
Recommendation #2: Implement Security Awareness Training
The threat actor successfully acquired sensitive information including phone numbers, carriers, location data, and timestamps, which could be used to create tailored social engineering attacks. This compromised data can be leveraged by threat actors to execute various attacks such as phishing (via email), smishing (via SMS), or vishing (via voice calls), all of which can lead to unauthorised access to company resources.
Arctic Wolf strongly recommends the urgent implementation of comprehensive security awareness training campaigns. These initiatives are specifically designed to empower users with the skills necessary to swiftly recognise and effectively report any suspicious activities, particularly those associated with sophisticated phishing campaigns.
References
See other important security bulletins from Arctic Wolf.
