Cisco Cyberattack Highlights Threats to MFA
Every cyberattack is bad news: As hackers and their attacks become more sophisticated, the information they steal and the networks they compromise are worth far more. However, some attacks are worse than others, including the method of attack. You need to be aware of the latest attack, which hit Cisco’s network earlier this year. According to a report from Cisco Talos
Every cyberattack is bad news: As hackers and their attacks become more sophisticated, the information they steal and the networks they compromise are worth far more. However, some attacks are worse than others, including the method of attack. You need to be aware of the latest attack, which hit Cisco’s network earlier this year.
According to a report from Cisco Talos published Aug. 10, Cisco first became aware of this attack on May 24, 2022. The investigation found that a Cisco employee’s credentials were compromised via the employee’s Google Account. How those hackers were able to obtain this information is concerning, however: These bad actors engaged in phishing schemes, like so many do. The difference this time, though, is the hackers tricked the employee into accepting an MFA push alert. Here’s how this type of attack works:
An attacker calls a target pretending to be a trusted source of that target, such as their bank or company. The attacker convinces the target that in order to verify their identity, they need to provide the MFA code generated by the “trusted” source. That’s the scheme: An attacker might have access to your username and password, but they won’t have access to your device that receives MFA codes. They use your stolen credentials to trigger the MFA code, you receive the code, and you tell them the code, which grants them access to your account.
The Cisco hack could have been worse: The organization claims no critical systems were compromised. However, it is a reminder of the dangers of sharing MFA codes with strangers, or anyone at all. MFA codes are not designed to be identity verification when communicating with your company, bank, or other trusted organization: These organizations will never ask you for an MFA code when reaching out to you. If you are asked to share an MFA code, hang up, and call the organization to confirm if they really contacted you in the first place.
Share This
More Articles
Apr. 30, 2024
Microsoft May Be Trying to Earn Back Trust in Cybersecurity
Apr. 30, 2024
Email Isn’t Always Secure (but It Can Be)
Apr. 23, 2024
You Should Check Which Apps on Your Smartphone Are Using Your Location
Apr. 23, 2024
Protect Your Privacy By Forwarding Your Emails Through a Decoy Account
Apr. 16, 2024
Don’t Send Important Business Information Over SMS
View All