A third-party provider to Cisco Duo, a popular MFA app, has been compromised. If you were affected by the breach, or if you're now worried about the security of your Duo user accounts, you should alert your users to be vigilant to social engineering and phishing attempts; move your organization away from SMS- and voice-based MFA; and consider surrounding your Duo implementation with Nametag.
What Is Cisco Duo?
Cisco Duo is a popular two-factor authentication (2FA) solution that generates one-time passcodes and receives push notifications. Companies use Duo to add an additional layer of security to user logins. For example, if you're logging into your student account at Wayne State University, you'll be asked to authenticate with Duo.
How Did Cisco Duo Get Breached?
It's important to note that Cisco Duo was not breached. Rather, Duo's customers were compromised because a third-party that Duo partners with to send MFA codes via SMS (short message service, aka text messages) or VOIP (voice over internet protocol) were themselves breached. The unnamed third party was breached on April 1, 2024 through compromised credentials obtained via phishing. The threat actor then used their access to download MFA message logs pertaining to Duo customer accounts.
Cisco Duo Breach Timeline
On April 13, 2024, Reddit user /u/ITBurn-out posted a thread to r/MSP titled "Duo Security provider breach" in which they share a Duo security incident notice. Then, Bleeping Computer and Dark Reading, Security Week, and other press outlets corroborated the story on April 15.
The security notice was titled "[Important Notice] Security Incident Involving Duo Supplier" [now deleted]. In it, Duo said that, through their third-party provider, an unknown threat actor obtained SMS MFA message logs that were sent to Duo end-users between March 1 and March 31, 2024. The stolen message logs contained important information including phone numbers and carriers, the country and state to which each message was sent, and related metadata such as the date and time of the message.
Who Is Impacted by the April 2024 Cisco Duo Breach?
Duo has not yet shared any details regarding the scope or impact of their April 2024 breach.
What Should I Do To Protect My Duo?
There are a few things you can do to protect your organization's Duo users:
1. Contact Duo
If you believe you have been affected by the breach, Duo encourages you to contact them at msp@duo.com. Duo's third-party provider has given Duo a copy of the stolen message logs, and Duo will provide you with a copy of any logs pertaining to your organization.
2. Train your users to be vigilant.
Cisco Duo advises their customers to "be vigilant and report any suspected social engineering attacks" and "consider educating your users on the risks posed by social engineering attacks and investigating any suspicious activity". Indeed, proactive training is a critical part of any security strategy.
That said, remember that threat clusters like Scattered Spider are very, very good at social engineering. Your employees, your customers, and your helpdesk agents aren't social psychologists –– and you shouldn't expect them to be. Training alone is not enough to stop social engineering and phishing threats.
3. Move away from SMS/voice-based MFA
SMS and VOIP technologies were never built to be security tools. They're communications protocols, pure and simple. Any authentication process that relies on them is easily exploitable, as countless breaches like this one demonstrate every week. As many Redditors have pointed out in the r/MSP thread, multi-factor authentication via text message or phone call is not secure.
Security-conscious orgs are already moving to phishing-resistant MFA via biometrics, automated visual verification, or physical security key.
4. Protect your MFA reset process
MFA resets are a notoriously popular vector for account takeovers. Bad actors like Scattered Spider exploit insecure verification methods (including SMS and VOIP messages) to reset MFA tokens, then register a new device so they can send MFA codes to one they control.
Some companies require their users to call the IT helpdesk to reset their MFA. But this leads to agents being overwhelmed by lengthy, frustrating MFA reset tickets. This also leaves your helpdesk vulnerable to the social engineering attacks that Scattered Spider is so good at.
Or, you can just implement Nametag for self-service Duo resets. Nametag is uniquely secure against today's threat vectors like injection attacks and AI deepfakes.
Nametag takes as little as 10 minutes to set up. Just sign up for Nametag, connect your Duo, add your company logo, and you're good to go!