<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Malicious Administrator - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/malicious-administrator/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/malicious-administrator/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco Duo Bulk Policy Deletion Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/</guid><description>Detection of a Cisco Duo administrator performing a bulk deletion of more than three policies, potentially indicating malicious activity such as weakening security controls.</description><content:encoded><![CDATA[<p>This alert identifies instances where a Cisco Duo administrator deletes more than three policies in a single action. This behavior is detected by analyzing Duo activity logs for the <code>policy_bulk_delete</code> action. The analytic extracts the names of the deleted policies and counts them. If the count exceeds three, the event is flagged as suspicious. This bulk deletion of security policies can indicate malicious activity, such as an attacker or a rogue administrator attempting to weaken or disable security controls, potentially to facilitate unauthorized access or data breaches. Early detection is critical, as the impact could include a significantly reduced security posture and increased risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains administrative access to the Cisco Duo platform, either through compromised credentials or as a rogue insider.</li>
<li>The attacker authenticates to the Duo Admin Panel.</li>
<li>The attacker navigates to the &quot;Policies&quot; section within the Duo Admin Panel.</li>
<li>The attacker selects multiple policies (more than three) for deletion.</li>
<li>The attacker initiates the bulk deletion action, triggering the <code>policy_bulk_delete</code> event in the Duo activity logs.</li>
<li>The Cisco Duo system processes the deletion requests.</li>
<li>The targeted security policies are removed from the Duo configuration.</li>
<li>The attacker aims to weaken the overall security posture, making it easier to bypass authentication controls in the future.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful bulk policy deletion can severely compromise an organization's security posture. If critical MFA policies are deleted, unauthorized access to sensitive systems and data becomes easier. While specific victim counts are unavailable, the potential scope includes all users and systems protected by the deleted policies. The sectors most at risk are those heavily reliant on Duo for access control, including finance, healthcare, and government. Consequences range from data breaches and financial loss to regulatory penalties.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Bulk Policy Deletion</code> to your SIEM to detect suspicious bulk policy deletions.</li>
<li>Investigate any alerts generated by the <code>Cisco Duo Bulk Policy Deletion</code> rule, focusing on the user account performing the deletions and the specific policies targeted.</li>
<li>Review and restrict Duo administrator privileges to minimize the risk of rogue insider activity.</li>
<li>Implement multi-factor authentication for all Duo administrator accounts to prevent unauthorized access.</li>
<li>Enable and regularly review audit logs within the Cisco Duo Admin Panel to monitor administrative actions.</li>
<li>Monitor Cisco Duo Administrator logs as the source of the Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>cisco-duo</category><category>policy-deletion</category><category>insider-threat</category></item></channel></rss>