The Future is Loading

MFA Cannot Stand Alone Series – The DUO Hacking

Reuvein Vinokurov  |  October 22, 2024

Unveiling the Limitations of MFA

As was demonstrated in the previous blog post, MFA cannot stand alone. MFA, on its own, still leaves enterprise systems vulnerable to various breaches. In the following post, we will continue exploring different vulnerabilities of the MFA mechanism.

The DUO Hacking Incident

One such vulnerability was exposed very recently  with the breach associated with one of the leading MFA providers – Cisco’s DUO. According to reports, DUO was acquired by the IT giant Cisco for around $2.35 billion. DUO is a cybersecurity platform that offers access management, phishing prevention, and risk-based authentication. It is a reputable platform trusted by clients worldwide. However, last week, it fell victim to hacking.

DUO itself was not directly breached, and that’s the point of discussion here. Instead, DUO’s third-party telephony provider (VoIP) was breached and compromised. Through a social engineering attack, an employee of the third-party VoIP disclosed their credentials to the hackers, granting them access to the company’s internal data. Subsequently, the hackers gained access to communication logs between DUO and the third party. The breach reportedly exposed information about DUO’s users, including emails, phone numbers, names, and other metadata associated with the messages.

This incident highlights a significant vulnerability in suppliers such as DUO. While claiming to eliminate password usage and ensure complete immunity from hacking, DUO’s clients were ultimately compromised due to the underlying issue plaguing companies and the cybersecurity industry – social engineering and its derivative, credential theft. The information obtained by hackers in this incident will likely be utilized in future spear-phishing attacks, as the hackers can now target specific individuals armed with their personal contact information.

Addressing MFA’s Shortcomings with UNIXi

This serves as another reminder that MFA cannot stand alone. Companies serious about their cybersecurity must incorporate additional tools into their arsenal to complement MFA. MFA alone does not holistically address social engineering, and as evidenced, even MFA suppliers are susceptible to social engineering attacks. This incident is another example of a scenario where UNIXi’s solution would have resolved the issue. Firstly, DUO’s third-party provider would have been protected under UNIXi’s universal SSO, and credentials and phishing protection, thus mitigating the risk of credential theft. Additionally, DUO’s users, even if exposed by this or a similar attack, would have peace of mind knowing that there is no leak or breach that will allow hackers to breach other accounts in the future. While MFA is undoubtedly valuable, UNIXi’s platform also offers it with its universal SSO (with 100% compatibility and seamless integration), but it becomes impervious with UNIXi’s credential and phishing protections.

Embrace the future of enterprise identity protection with UNIXi