What happened?

Cisco Duo recently reported one of their vendors, a telephony provider whose name they did not disclose, was breached on April 1st, 2024.  This is one of the providers responsible for sending Duo’s multifactor authentication (MFA) messages using SMS text messaging. 

The breach involved a phishing attack to obtain employee credentials from the provider.  The threat actor downloaded logs of MFA SMS messages containing Duo account information such as: 

  • Phone numbers 
  • Carriers 
  • Countries 
  • States 
  • Metadata (such as the date, time, and type of message) 

The provider confirmed that no message contents were accessed and no messages were sent to customers by the threat actor.  Once the breach was discovered the provider invalidated the compromised credentials and began their analysis of the breach. 

What does this all mean?

First an overview of terms! 

Social engineering is the use of manipulation and deception to gather confidential information from someone for fraudulent use. 

Phishing is a type of social engineering attack using emails, texts, or other messages to trick a target into giving up personal information such as passwords.  Common examples are to masquerade as your company’s IT department requesting a “password reset” or to click a link to “update” your device. 

Multifactor authentication is when two or more methods of identification are needed to access something.  Requiring more authentication factors makes it harder for unauthorized users to gain access. 

So what does this mean for you?

An increase in phishing attempts for people whose data was exposed because of the breach, and a reminder to everyone else.  Phishing, and social engineering in general, play a large part in successful cyber attacks.  Assessments performed by the Cybersecurity and Infrastructure Security Agency (CISA) reveal over 90% of all cyber attacks begin with phishing!  One of the best ways to protect yourself from phishing and other social engineering attempts is to use multifactor authentication. 

However, not all MFA is equal.  SMS Authentication, which sends a One-Time Password (OTP) using an unencrypted text message, is less secure than using an authenticator app.  These authenticator apps like Microsoft Authenticator, Google Authenticator, and Duo Mobile will generate a One-Time Password locally on your device which is less likely to be intercepted.  

What can you do to reduce your risk?

  • Enable multifactor authentication on your accounts and devices
  • Use an authenticator app instead of SMS authentication
  • Don’t click links in emails or text messages unless you are certain they are valid. 

As always, NGT is here to help! 
Contact ngthelp.com with questions.