Cisco Cyberattack Highlights Threats to MFA

Every cyberattack is bad news: As hackers and their attacks become more sophisticated, the information they steal and the networks they compromise are worth far more. However, some attacks are worse than others, including the method of attack. You need to be aware of the latest attack, which hit Cisco’s network earlier this year.

According to a report from Cisco Talos published Aug. 10, Cisco first became aware of this attack on May 24, 2022. The investigation found that a Cisco employee’s credentials were compromised via the employee’s Google Account. How those hackers were able to obtain this information is concerning, however: These bad actors engaged in phishing schemes, like so many do. The difference this time, though, is the hackers tricked the employee into accepting an MFA push alert. Here’s how this type of attack works:

An attacker calls a target pretending to be a trusted source of that target, such as their bank or company. The attacker convinces the target that in order to verify their identity, they need to provide the MFA code generated by the “trusted” source. That’s the scheme: An attacker might have access to your username and password, but they won’t have access to your device that receives MFA codes. They use your stolen credentials to trigger the MFA code, you receive the code, and you tell them the code, which grants them access to your account.

The Cisco hack could have been worse: The organization claims no critical systems were compromised. However, it is a reminder of the dangers of sharing MFA codes with strangers, or anyone at all. MFA codes are not designed to be identity verification when communicating with your company, bank, or other trusted organization: These organizations will never ask you for an MFA code when reaching out to you. If you are asked to share an MFA code, hang up, and call the organization to confirm if they really contacted you in the first place.