On April 1, 2024, Duo by Cisco notified its customers about a significant security breach involving a third-party vendor responsible for handling SMS and VOIP multi-factor authentication (MFA) messages. A compromised provider exposed logs containing sensitive metadata and limited PII tied to MFA delivery.

Read the full post on Medium

Table of Contents

  1. Introduction
  2. Details of the Breach
  3. Impact on the CIA Triad
  4. Recommendations for Improved Security
  5. Final Thoughts

Introduction

On April 1, 2024, Duo by Cisco notified its customers about a significant security breach involving a third-party vendor responsible for handling SMS and VOIP multi-factor authentication (MFA) messages. The compromise occurred through an unnamed service provider, whose internal systems were accessed by threat actors using credentials obtained via a phishing attack. Cisco Duo did not disclose the identity of the telephone provider used for sending MFA messages.

The breach involved accessing a series of MFA SMS messages containing sensitive Personally Identifiable Information (PII) such as contact numbers, phone carriers, citizenship status, states, and metadata including the date and time of message generation. However, the breached data did not include the content of the messages or any unauthorized message transmissions.

Cisco Duo has retrieved the affected account logs from the third-party vendor and offers affected individuals the option to request their logs by contacting msp@duo.com. The company urges those impacted to remain vigilant and report any suspected social engineering attacks to the relevant incident response teams. With a client base of 100,000 worldwide and managing 1 billion monthly authenticated users, Cisco Duo remains committed to maintaining robust security standards.

Details of the Breach

The breach occurred when threat actors gained unauthorized access to the third-party provider’s internal systems using credentials obtained through a phishing attack. The attackers accessed MFA SMS messages, which included sensitive PII such as:

  • Contact numbers
  • Phone carriers
  • Citizenship status
  • States
  • Metadata including date and time of message generation

No message content or unauthorized message transmissions were involved. Cisco Duo has assured that the logs of affected accounts have been retrieved and are available upon request.

Impact on the CIA Triad

The breach primarily impacted the Confidentiality and Integrity aspects of the CIA triad:

  • Confidentiality: PII was exposed without authorization, compromising data security.
  • Integrity: Unauthorized access to and exposure of data could lead to further breaches or misuse of the system.

This incident underscores the need for rigorous security protocols and the importance of securing all components of the security infrastructure, including third-party vendors.

Recommendations for Improved Security

To prevent similar incidents and enhance security, consider the following recommendations:

  1. Transition to More Secure Authentication Methods
    Move from SMS or VOIP-dependent MFA to more secure methods such as physical security keys or biometrics. Google reported a 90% reduction in successful phishing attacks after implementing security keys.

  2. Adopt a Zero Trust Architecture
    Implement a Zero Trust model to reduce the risk of unauthorized access and lateral movement across systems.

  3. Enhance Third-Party Management
    Conduct regular audits and ensure compliance with the highest security standards across all service providers. Treat vendors as extensions of your own attack surface.

  4. Employee Training
    Educate employees about phishing and social engineering techniques to reduce credential theft and account takeover risk.

  5. Robust Incident Response Plans
    Ensure a strong incident response plan is in place. Studies show that containing breaches within 30 days can significantly reduce overall impact and cost.

Final Thoughts

While MFA remains an essential layer of security, understanding the vulnerabilities and potential bypass methods helps in strengthening defenses. The Cisco Duo breach highlights the need for comprehensive security measures across all levels of the service chain, especially when third-party vendors are involved.

For a better reading experience, visit my Medium page at https://medium.com/@patelaksht24 or read the full article on Medium here.