On April 16, 2024, Cisco Duo informed affected customers of a breach involving their SMS and VOIP multi-factor authentication (MFA) service provider. The breach occurred on April 1st due to a phishing attack, allowing unauthorized access to the provider’s systems, including SMS and VoIP MFA message logs for specific Duo accounts between March 1st and March 31st, 2024. Though the threat actor accessed message logs, they did not obtain message content. The exposed data included phone numbers, carriers, location data, and timestamps, potentially enabling targeted phishing campaigns.
Recommendations
Recommendation #1: Obtain Message Logs if Impacted
Cisco Duo has stated that impacted customers can reach out to obtain a copy of the stolen message logs. Arctic Wolf recommends obtaining a copy of these logs in order to understand the impact of this compromise to your organization.
Notify impacted users and ensure they remain vigilant, reporting any suspected social engineering or other similar attacks to the appropriate security team.
Recommendation #2: Implement Security Awareness Training
The threat actor successfully acquired sensitive information including phone numbers, carriers, location data, and timestamps, which could be used to create tailored social engineering attacks. This compromised data can be leveraged by threat actors to execute various attacks such as phishing (via email), smishing (via SMS), or vishing (via voice calls), all of which can lead to unauthorized access to company resources.
Arctic Wolf strongly recommends the urgent implementation of comprehensive security awareness training campaigns. These initiatives are specifically designed to empower users with the skills necessary to swiftly recognize and effectively report any suspicious activities, particularly those associated with sophisticated phishing campaigns.
References
See other important security bulletins from Arctic Wolf.