Duo falls victim to phishing, Cisco warns of increased future attacks

In recent months, more and more companies are falling prey to cyberattacks. The latest on the list is Cisco, which was attacked on April 1, 2024!

According to the notification sent out by Cisco, one of Duo’s telephony suppliers was attacked, and the MFA (Multi-factor Authentication) SMS message logs were accessed and downloaded by threat actors. The notification reads,

It is our understanding from the Provider that a threat actor gained access to the Provider’s internal systems, on April 1, 2024, using a Provider employee’s credentials that the threat actor illicitly obtained through a phishing attack and used that access to download a set of MFA SMS message logs pertaining to your Duo account. More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024.

In the notification, Cisco goes on to assure that the stolen logs did not contain any contents but details pertaining to the end user, namely, phone number, carrier, country, and the message’s metadata. Also, the threat actors did not send out any messages after gaining access to the system.

In a statement to The Register, Cisco confirms that only 1% of the total user base was affected by the attack on Duo MFA, which hints at roughly 1000 of the total 100,000 Cisco customers worldwide.

Cisco is aware of an incident involving a single telephony supplier that sends Duo multifactor authentication (MFA) messages via SMS and VOIP to recipients based in North America. Cisco is actively working with the supplier to investigate and address the incident. Based on information received from the supplier to date, we assessed that approximately one percent of Duo’s customers were impacted. Our investigation is ongoing, and we are notifying affected customers via our established channels as appropriate.

Cisco warns of future large-scale brute force attacks

In a published report, Cisco cites the increase in brute-force attacks globally, warns users of similar attacks on its services, and provides a set of mitigations to prevent them and minimize the damage.

When reached out by The Register, an executive at Cisco said,

Cisco is aware of a global increase in brute-force attacks against a variety of targets, including virtual Private Network (VPN) services, web application authentication interfaces, and SSH services. Cisco Talos has noted that these attacks are not limited to Cisco products, but also third-party VPN services. To help keep our customers safe, we have published a Talos blog and Cisco support page with recommended guidance and mitigation steps. Please refer to the Talos blog and Cisco TechNotes support page for additional details.

Cisco highlights that one or more of its following services might be targeted with brute-force attacks, primarily originating from TOR exit nodes, which could lead to unauthorized access or render the service inaccessible to users :

• Cisco Secure Firewall VPN
• Checkpoint VPN
• Fortinet VPN
• SonicWall VPN
• RD Web Services
• Miktrotik
• Draytek
• Ubiquiti

Recently, we reported about an increase in cyberattacks driven by AI. Microsoft’s research states that 87% of companies in the UK are at risk of cyberattacks.

Even our cyberattack statistics for 2024 highlight a clear increase in the past couple of years, which is undoubtedly worrisome. Corporations must ramp up their security infrastructure to prevent any loss of data. The Redmond-based tech giant Microsoft is using AI to combat cyberattacks!

What do you think is the best solution for cyberattacks? Share with us in the comments section.