Skip to content
Threat Feed
high advisory

Unusual Country for Cisco Duo Admin Login

Detection of Cisco Duo admin logins originating from outside the United States indicates potential account compromise or unauthorized access.

This analytic focuses on identifying suspicious admin logins to Cisco Duo accounts. The core concern is that if a Duo admin logs in from an unexpected geographic location, especially a country outside the United States, it could signal a compromised account or an insider threat. This activity warrants immediate investigation due to the elevated privileges associated with admin accounts. The detection logic analyzes Duo activity logs, specifically looking for "admin_login" events and filtering based on the originating country. The goal is to pinpoint login attempts that deviate from established patterns, which could indicate unauthorized access, potentially leading to a breach of Duo's security configurations and sensitive data. The analytic relies on the Cisco Security Cloud App to ingest Duo logs.

Attack Chain

  1. The attacker gains unauthorized access to a Duo admin's credentials, possibly through phishing or credential stuffing.
  2. The attacker uses the compromised credentials to attempt an admin login to the Duo platform.
  3. Duo logs the admin login attempt, including the originating IP address and associated geolocation data.
  4. The analytic ingests the Duo activity logs via the Cisco Security Cloud App.
  5. The detection logic identifies the login attempt as originating from a country outside the United States.
  6. The analytic correlates user, device, browser, and location information to confirm the anomalous login.
  7. An alert is triggered, notifying security personnel of the suspicious admin login.
  8. The attacker may then be able to bypass security controls, alter configurations, or exfiltrate sensitive information.

Impact

Successful exploitation could lead to complete compromise of the Duo security environment. An attacker with admin access could disable multi-factor authentication for targeted users, bypass security controls, modify security policies, or exfiltrate sensitive user data and configuration details. This could result in a significant data breach and disruption of services for organizations relying on Duo for authentication, potentially impacting thousands of users.

Recommendation

  • Deploy the Sigma rule provided in this brief to your SIEM to detect unusual admin logins based on geographic location and tune it to exclude known good logins from international travelers.
  • Investigate any alerts generated by the Sigma rule to determine the validity of the login attempt, correlating the event with other security logs for the user account.
  • Enable multi-factor authentication (MFA) on all Duo admin accounts to mitigate the risk of credential compromise.
  • Ingest Cisco Duo activity logs using the Cisco Security Cloud App (https://splunkbase.splunk.com/app/7404) to enable the detection logic.

Detection coverage 2

Duo Admin Login from Unusual Country

high

Detects Duo admin logins originating from outside of the United States.

sigma tactics: initial_access techniques: T1556 sources: application, cisco

Duo Admin Login from New City

medium

Detects Duo admin logins originating from a new/unusual city.

sigma tactics: initial_access techniques: T1556 sources: application, cisco

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

url

TypeValue
urlhttps://splunkbase.splunk.com/app/7404