Skip to content
Threat Feed
high advisory

Cisco Duo User 2FA Bypass

Detection of Cisco Duo user status being changed to 'Bypass' after being 'Active', indicating potential malicious activity to weaken account security.

This threat brief addresses the risk associated with unauthorized modification of user status within Cisco Duo, specifically the act of setting a user's status to "Bypass" for 2FA after it was previously "Active". Such a change significantly weakens the security posture of the affected account and may be indicative of malicious insider activity or account compromise. Attackers or unauthorized administrators could exploit this capability to disable strong authentication controls, thereby increasing the risk of unauthorized access to sensitive systems and data. This activity is detected via the Cisco Duo activity logs. Early detection of such changes is critical for enabling rapid investigation and response, helping to prevent potential breaches and limit the impact of credential-based attacks.

Attack Chain

  1. Initial Access: An attacker gains initial access through compromised credentials or insider access.
  2. Privilege Escalation: The attacker escalates privileges to an account capable of modifying Duo user settings.
  3. Configuration Change: The attacker navigates to the Cisco Duo admin panel and modifies the target user's status.
  4. User Status Modification: The attacker changes the user's status from "Active" to "Bypass", effectively disabling 2FA for that account.
  5. Authentication Bypass: The attacker uses the compromised credentials to authenticate to protected resources without 2FA.
  6. Lateral Movement: The attacker leverages the access gained to move laterally within the network, accessing additional systems and data.
  7. Data Exfiltration/Damage: The attacker exfiltrates sensitive data or causes damage to critical systems.

Impact

Successful exploitation can lead to a complete compromise of user accounts, enabling attackers to bypass multi-factor authentication and gain unauthorized access to sensitive systems and data. The impact can range from data breaches and financial loss to disruption of critical services. While the exact number of victims is not specified, any organization using Cisco Duo is potentially at risk. The sectors targeted are broad, as Duo is used across various industries to protect access to applications and resources.

Recommendation

  • Enable and monitor Cisco Duo activity logs to detect unauthorized changes (Cisco Duo Administrator).
  • Deploy the provided Sigma rule to detect instances where a user's status is changed to "Bypass" after being "Active" (Sigma rule: "Cisco Duo Set User Status to Bypass 2FA").
  • Investigate any alerts generated by the Sigma rule to determine the legitimacy of the user status change.
  • Implement strict access controls and multi-factor authentication for all administrative accounts in Cisco Duo.
  • Review and update user access privileges regularly to minimize the potential impact of compromised accounts.

Detection coverage 2

Cisco Duo Set User Status to Bypass 2FA

high

Detects instances where a Duo user's status is changed to 'Bypass' after being 'Active'.

sigma tactics: credential_access techniques: T1556 sources: application, cisco_duo_administrator

Cisco Duo User Update Events

info

Detects any Cisco Duo user update events. Useful for baselining and investigating anomalies.

sigma tactics: credential_access techniques: T1556 sources: application, cisco_duo_administrator

Detection queries are available on the platform. Get full rules →