Cisco is fighting fires on a couple fronts this week after security incidents involving its Duo multi-factor authentication (MFA) service and its remote-access VPN services.

Cisco has alerted customers that one of its Duo telephony partners fell victim to a phishing attack on April 1, during which crooks stole an employee's credentials and used them to access message logs associated with Duo accounts.

"More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024," according to Cisco’s notification.

According to a statement from Cisco:

Cisco claims Duo has over 100,000 customers globally, so if that one percent figure is accurate it means about 1,000 likely received email notifications about the incident.

Upon discovering the digital intrusion, the unnamed supplier "immediately" invalidated the employee's credentials and notified Cisco of the incident. The supplier will also require all employees to take social-engineering attack awareness training, we're told.

The stolen logs did not contain any message content, but reportedly did include phone numbers, identify countries, and states to which each message was sent, plus some metadata on the time and type of message, and info on which carrier handled the TXTs.

According to Cisco, the unnamed telephony supplier confirmed that the intruders "did not download or otherwise access the content of any messages or use their access to the provider's internal systems to send any messages to any of the numbers contained in the message logs."

Brute-force attacks target remote VPNs

Meanwhile, on the VPN side of things, Cisco's Talos threat hunting team is "actively monitoring a global increase in brute-force attacks" targeting Cisco and other providers' VPN services, web application authentication interfaces, and SSH services.

According to an alert issued on Tuesday, the brute-force attacks have been ongoing since at least March 18 and originate from TOR exit nodes and other anonymizing tunnels and proxies.

Affected providers and services include Cisco Secure Firewall VPN, Check Point VPN, Fortinet VPN, SonicWall VPN, RD Web Services, Miktrotik, Draytek and Ubiquiti, according to Talos, which noted, "additional services may be impacted by these attacks."

The brute-force attempts use both generic and valid usernames for specific organizations. Moreover, they seem to target victims across a wide range of industries and regions.

In a separate security advisory, Cisco indicated that the intrusion attempts seem to be "related to reconnaissance efforts," but didn't speculate who was responsible for the attempted break-ins - nor did it say it any were successful.

In response to The Reg's questions, a Cisco spokesperson issued this statement:

As to the other vendors listed in the report: Check Point had no comment, and the others did not respond to The Register's inquiries or could not be reached.

Cisco has advised its Secure Firewall customers to enable logging to help detect these and other brute-force attacks. Its security alert also includes steps for organizations to secure default remote access VPN profiles, and then block connection attempts from malicious sources. ®

https://www.theregister.com//2024/04/17/cisco_duo_vpn/