Skip to content
Threat Feed
high advisory

Cisco Duo Policy Modification to Bypass 2FA for Specific Countries

A Duo policy is created or updated to allow access without two-factor authentication (2FA) for users in countries other than the default, potentially weakening the organization's security posture and increasing the risk of unauthorized access.

This analytic focuses on the detection of unauthorized modifications to Cisco Duo policies that could weaken an organization's security. Specifically, it identifies instances where a Duo policy is created or updated to permit access without two-factor authentication (2FA) for users originating from countries outside the default settings. This is significant because attackers or malicious insiders might exploit such policy changes to circumvent strong authentication controls. By monitoring the Duo administrator activity logs for policy creation or update actions where the policy description indicates that access is permitted without 2FA, defenders can quickly identify and respond to potentially malicious behavior. The scope of targeting is any organization utilizing Cisco Duo for multi-factor authentication.

Attack Chain

  1. An attacker gains administrative access to the Cisco Duo administration panel, potentially through compromised credentials or exploiting a vulnerability.
  2. The attacker navigates to the "Policies" section within the Duo admin panel.
  3. The attacker creates a new policy or modifies an existing one.
  4. Within the policy configuration, the attacker configures the "user_locations_default_action" setting to "Allow access without 2FA" for specific countries.
  5. The attacker saves the policy changes, which are then logged as a policy_update or policy_create action in the Duo administrator activity logs.
  6. Users from the targeted countries are now able to authenticate to systems protected by Duo without undergoing 2FA.
  7. The attacker uses a compromised account originating from one of the allowed countries to gain initial access.
  8. The attacker moves laterally within the network to access sensitive data or systems.

Impact

The impact of this attack includes unauthorized access to sensitive resources, data breaches, and potential lateral movement within the network. The absence of 2FA for specific countries significantly weakens the security posture, making it easier for attackers to compromise accounts and access valuable information. The number of affected users and systems depends on the scope of the policy change and the attacker's objectives.

Recommendation

  • Deploy the provided Sigma rule Cisco Duo Policy Created or Modified to Bypass 2FA to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the user and admin_email fields to identify potentially compromised administrator accounts.
  • Review all existing Duo policies to ensure that 2FA is enforced for all users, regardless of their location.
  • Implement multi-factor authentication for all administrator accounts to prevent unauthorized policy changes.
  • Monitor Cisco Duo Administrator logs for unusual activity patterns.
  • Regularly audit Duo policy configurations to identify and remediate any deviations from the established security baseline.

Detection coverage 2

Cisco Duo Policy Created or Modified to Bypass 2FA

high

Detects when a Duo policy is created or updated to allow access without 2FA for other countries.

sigma tactics: defense_evasion techniques: T1556 sources: application, cisco

Cisco Duo Policy Creation with 2FA Bypass

high

Detects creation of a Cisco Duo policy that allows 2FA bypass based on location.

sigma tactics: defense_evasion techniques: T1556 sources: application, cisco

Detection queries are available on the platform. Get full rules →