Fire in the Cisco! Networking giant's Duo MFA message logs stolen in phish attack

Also warns of brute force attacks targeting its own VPNs, Check Point, Fortinet, SonicWall and more

Cisco is fighting fires on a couple cybersecurity fronts this week involving its Duo multi-factor authentication (MFA) service and its remote-access VPN services.

Cisco has alerted customers that one of its Duo telephony partners fell victim to a phishing attack on April 1, during which crooks stole an employee's credentials and used them to access message logs associated with Duo accounts.

"More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024," according to Cisco’s notification.

According to a statement from Cisco:

Cisco is aware of an incident involving a single telephony supplier that sends Duo multifactor authentication (MFA) messages via SMS and VOIP to recipients based in North America. Cisco is actively working with the supplier to investigate and address the incident. Based on information received from the supplier to date, we assessed that approximately one percent of Duo's customers were impacted. Our investigation is ongoing, and we are notifying affected customers via our established channels as appropriate.

Cisco claims Duo has over 100,000 customers globally, so if that one percent figure is accurate it means about 1,000 likely received email notifications about the incident.

Upon discovering the digital intrusion, the unnamed supplier "immediately" invalidated the employee's credentials and notified Cisco of the incident. The supplier will also require all employees to take social-engineering attack awareness training, we're told.

The stolen logs did not contain any message content, but reportedly did include phone numbers, identify countries, and states to which each message was sent, plus some metadata on the time and type of message, and info on which carrier handled the TXTs.

According to Cisco, the unnamed telephony supplier confirmed that the intruders "did not download or otherwise access the content of any messages or use their access to the provider's internal systems to send any messages to any of the numbers contained in the message logs."

Brute-force attacks target remote VPNs

Meanwhile, on the VPN side of things, Cisco's Talos threat hunting team is "actively monitoring a global increase in brute-force attacks" targeting Cisco and other providers' VPN services, web application authentication interfaces, and SSH services.

According to an alert issued on Tuesday, the brute-force attacks have been ongoing since at least March 18 and originate from TOR exit nodes and other anonymizing tunnels and proxies.

Affected providers and services include Cisco Secure Firewall VPN, Check Point VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Miktrotik, Draytek and Ubiquiti, according to Talos, which noted, "additional services may be impacted by these attacks."

The brute-force attempts use both generic and valid usernames for specific organizations. Moreover, they seem to target victims across a wide range of industries and regions.

In a separate security advisory, Cisco indicated that the intrusion attempts seem to be "related to reconnaissance efforts," but didn't speculate who was responsible for the attempted break-ins – nor did it say it any were successful.

In response to The Reg's questions, a Cisco spokesperson issued this statement:

Cisco is aware of a global increase in brute-force attacks against a variety of targets, including virtual Private Network (VPN) services, web application authentication interfaces, and SSH services. Cisco Talos has noted that these attacks are not limited to Cisco products, but also third-party VPN services. To help keep our customers safe, we have published a Talos blog and Cisco support page with recommended guidance and mitigation steps. Please refer to the Talos blog and Cisco TechNotes support page for additional details.

As to the other vendors listed in the report: Check Point had no comment, and the others did not respond to The Register's inquiries or could not be reached.

Cisco has advised its Secure Firewall customers to enable logging to help detect these and other brute-force attacks. Its security alert also includes steps for organizations to secure default remote access VPN profiles, and then block connection attempts from malicious sources. ®

More about


Send us news

Other stories you might like