{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cisco-adaptive-security-appliance/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco Adaptive Security Appliance"],"_cs_severities":["high"],"_cs_tags":["cisco-asa","aaa-policy","privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief addresses the threat of unauthorized modifications to Authentication, Authorization, and Accounting (AAA) policies on Cisco Adaptive Security Appliance (ASA) devices. Attackers, including malicious insiders, may leverage CLI or ASDM to tamper with AAA settings. The modifications can weaken authentication mechanisms, disable account lockout policies, or elevate privileges. The goal is to facilitate brute-force attacks, maintain persistent access, and potentially compromise the entire network. This activity is typically observed through Cisco ASA syslog data, specifically monitoring command execution events related to AAA policy changes. This attack matters to defenders because a compromised ASA can grant an attacker complete control over the network perimeter.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the Cisco ASA's CLI or ASDM, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eAuthentication Policy Modification: The attacker modifies AAA authentication policies using commands like \u003ccode\u003eaaa authentication\u003c/code\u003e, potentially increasing the maximum failed login attempts or disabling account lockout.\u003c/li\u003e\n\u003cli\u003eAuthorization Policy Modification: The attacker modifies AAA authorization policies with commands like \u003ccode\u003eaaa authorization\u003c/code\u003e, escalating privileges for specific user accounts or groups to gain administrative access.\u003c/li\u003e\n\u003cli\u003eLocal Authentication Tampering: The attacker modifies the local authentication database on the ASA with commands like \u003ccode\u003eaaa local authentication\u003c/code\u003e, creating new privileged accounts or modifying existing ones.\u003c/li\u003e\n\u003cli\u003eAAA Server Configuration Changes: The attacker alters AAA server configurations using commands like \u003ccode\u003eaaa-server\u003c/code\u003e, redirecting authentication requests to a malicious AAA server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eDisabling AAA: The attacker disables AAA features entirely using \u003ccode\u003eno aaa\u003c/code\u003e commands, bypassing all authentication and authorization controls.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistent access by creating or modifying user accounts with elevated privileges, or by maintaining unauthorized access via weakened authentication policies.\u003c/li\u003e\n\u003cli\u003eLateral Movement \u0026amp; Data Exfiltration: With elevated privileges, the attacker moves laterally within the network, accessing sensitive data and exfiltrating it to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised AAA policies can lead to significant security breaches. An attacker can gain unauthorized access to sensitive network resources, exfiltrate confidential data, and disrupt critical business operations. Success could allow a malicious actor to pivot within the network, potentially impacting thousands of systems and resulting in substantial financial losses. This attack can severely damage an organization's reputation and erode customer trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Cisco ASA syslog data ingestion into your SIEM via the Cisco Security Cloud TA, ensuring message IDs 111008 and 111010 are included in the logs.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious AAA policy modifications.\u003c/li\u003e\n\u003cli\u003eReview and harden AAA policies on Cisco ASA devices regularly, enforcing strong password policies, account lockout thresholds, and multi-factor authentication where possible (reference: \u003ca href=\"https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html)\"\u003ehttps://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any unauthorized modifications to AAA policies, focusing on changes that weaken security posture, and compare these changes against approved change management processes (see description field).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-aaa-tampering/","summary":"Unauthorized modifications to Cisco ASA AAA policies via CLI or ASDM can weaken authentication mechanisms, potentially enabling brute-force attacks, privilege escalation, and persistent access by malicious actors.","title":"Cisco ASA AAA Policy Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-aaa-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed - Cisco Adaptive Security Appliance","version":"https://jsonfeed.org/version/1.1"}