<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cisco Duo - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/cisco-duo/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/cisco-duo/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco Duo Admin Login from Unusual Operating System</title><link>https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-unusual-login/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-unusual-login/</guid><description>Detection of Cisco Duo admin login attempts originating from operating systems not typically used in the environment, potentially indicating account compromise or unauthorized access.</description><content:encoded><![CDATA[<p>This analytic focuses on identifying unusual administrative login activity within Cisco Duo environments. By monitoring Duo activity logs, it flags login attempts from operating systems that deviate from the norm, excluding common platforms like Mac OS X. The goal is to detect potential credential compromise or unauthorized access by threat actors utilizing unfamiliar devices. This method analyzes admin login actions, filters out logins from expected operating systems, aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. The detection logic specifically looks for deviations from established patterns of administrative access, enabling security operations to quickly identify and respond to potentially malicious activities. This analytic uses data ingested via the Cisco Security Cloud App.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> The attacker gains access to a valid Duo admin username and password, potentially through phishing, credential stuffing, or other means.</li>
<li><strong>Authentication Request:</strong> The attacker attempts to log in to the Duo admin panel using the compromised credentials.</li>
<li><strong>Duo Authentication:</strong> Duo prompts the attacker for secondary authentication (e.g., push notification, passcode).</li>
<li><strong>Bypass/Compromise MFA:</strong> The attacker bypasses or compromises the MFA mechanism, possibly through social engineering, SIM swapping, or exploiting vulnerabilities.</li>
<li><strong>Admin Login:</strong> The attacker successfully logs in to the Duo admin panel from an operating system not typically used by legitimate administrators.</li>
<li><strong>Privilege Escalation:</strong> Once logged in, the attacker might attempt to escalate privileges or modify user permissions.</li>
<li><strong>Policy Changes:</strong> The attacker could modify Duo policies to weaken security controls or bypass MFA requirements for other users.</li>
<li><strong>Lateral Movement:</strong> The attacker uses their access to pivot to other systems or applications integrated with Duo.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could lead to unauthorized access to sensitive Duo configurations, potentially affecting the security of all applications and users protected by Duo. This can lead to widespread compromise, data breaches, and disruption of services. If an attacker successfully compromises a Duo admin account, they could disable MFA for targeted users, add new unauthorized users, or modify security policies to weaken the overall security posture.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the following Sigma rule to detect Duo admin logins from unusual operating systems and tune it for your specific environment.</li>
<li>Investigate any alerts generated by the Sigma rule to determine the legitimacy of the login attempts.</li>
<li>Monitor Cisco Duo activity logs for any suspicious changes to user accounts, policies, or authentication methods using the Cisco Security Cloud App (<a href="https://splunkbase.splunk.com/app/7404)">https://splunkbase.splunk.com/app/7404)</a>.</li>
<li>Implement strong MFA policies and educate users about phishing and social engineering attacks.</li>
<li>Review and update Duo admin access controls to ensure only authorized personnel have access to administrative functions.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-duo</category><category>account-compromise</category><category>unauthorized-access</category><category>ttp</category></item><item><title>Cisco Duo Admin Login from Unusual Browser</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-unusual-browser/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-unusual-browser/</guid><description>Detects Cisco Duo admin logins from browsers other than Chrome, potentially indicating compromised credentials, session hijacking, or unauthorized device usage.</description><content:encoded><![CDATA[<p>This analytic identifies instances of Cisco Duo administrators logging in using a web browser other than Chrome. The assumption is that most administrators within an organization consistently use Chrome, making other browsers anomalous. This detection is based on Cisco Duo activity logs ingested via the Cisco Security Cloud App. The activity logs are filtered for admin login events where the browser used is not Chrome. Detecting deviations from expected administrative access patterns can highlight potential security breaches such as credential compromise, session hijacking, or unauthorized device access. The scope of targeting is organizations using Cisco Duo for multi-factor authentication.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a Duo administrator's credentials through phishing, malware, or social engineering.</li>
<li>The attacker leverages the stolen credentials to initiate a login attempt to the Duo admin panel.</li>
<li>The attacker uses a non-standard browser (e.g., Firefox, Safari, Edge) to access the Duo admin login page.</li>
<li>Duo activity logs record the admin login attempt, including the browser type, IP address, and geolocation data.</li>
<li>The Splunk analytic identifies the login attempt as anomalous because the browser is not Chrome.</li>
<li>Security analysts investigate the alert and confirm unauthorized access.</li>
<li>The attacker makes unauthorized changes to security policies, user access, or disables security controls within the Duo admin panel.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could result in unauthorized modifications to security policies, user access, or the disabling of critical security controls. This can substantially weaken the organization's security posture, potentially leading to broader system compromises, data breaches, and service disruptions. The impact could range from targeted account takeovers to widespread privilege escalation affecting all users protected by Duo.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Admin Login Unusual Browser</code> to your SIEM to detect unusual browser usage for admin logins and tune for your specific environment.</li>
<li>Investigate any alerts generated by the Sigma rule <code>Cisco Duo Admin Login Unusual Browser</code> promptly to determine the legitimacy of the login attempt.</li>
<li>Review and reinforce security awareness training to prevent credential theft through phishing or other social engineering attacks.</li>
<li>Monitor the Duo activity logs for other suspicious activities, such as logins from unusual locations or at unusual times.</li>
<li>Ensure that the Cisco Security Cloud App is properly configured and ingesting Duo activity logs as described in the reference URL.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco-duo</category><category>credential-access</category><category>anomaly-detection</category></item><item><title>Cisco Duo Policy Allowing Outdated Flash Usage</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-cisco-duo-old-flash/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-cisco-duo-old-flash/</guid><description>A Cisco Duo administrator may create or update a policy to allow the use of outdated Flash components, potentially increasing the attack surface by allowing exploitation of Flash vulnerabilities.</description><content:encoded><![CDATA[<p>This threat brief focuses on the potential weakening of security controls within Cisco Duo environments. Specifically, it addresses the scenario where a Duo administrator modifies or creates a policy to permit the use of outdated Adobe Flash components. This is identified through Duo activity logs by detecting policy changes with the attribute &quot;flash_remediation=no remediation&quot;. The scope of this threat involves any organization using Cisco Duo for multi-factor authentication and where Flash-based applications or services are still in use, despite Flash reaching end-of-life. This policy change can significantly broaden the attack surface, as outdated Flash versions are riddled with known security vulnerabilities. Attackers may exploit these weaknesses to bypass authentication controls, potentially leading to unauthorized access, malware deployment, or privilege escalation. Defenders should be aware of this as it can undermine the overall security posture of the organization and lead to compliance violations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Cisco Duo administrator's account through compromised credentials or social engineering.</li>
<li>The attacker logs into the Cisco Duo Admin Panel with the compromised administrator account.</li>
<li>The attacker navigates to the &quot;Policies&quot; section of the Duo Admin Panel.</li>
<li>The attacker modifies an existing policy or creates a new policy to allow the use of outdated Flash components by setting &quot;flash_remediation=no remediation&quot;.</li>
<li>The policy change is saved, and the updated configuration is applied to the targeted users or applications.</li>
<li>A user with an outdated Flash version attempts to authenticate through Duo.</li>
<li>Due to the modified policy, the user is granted access despite the outdated Flash version.</li>
<li>The attacker leverages the Flash vulnerability on the user's system to execute malicious code, potentially leading to data theft or system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack leveraging a policy allowing outdated Flash in Cisco Duo can lead to several negative consequences. Attackers can bypass multi-factor authentication, gaining unauthorized access to sensitive systems and data. Depending on the targeted systems, this could result in data breaches, financial losses, and reputational damage. The impact is especially significant for organizations in regulated industries that require strict adherence to security compliance standards. The number of potential victims depends on the scope of the vulnerable policy and the number of users still relying on outdated Flash components.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Policy Allowing Outdated Flash</code> to detect instances where Duo administrators create or update policies to allow outdated Flash versions. This will provide real-time alerting of potentially malicious policy changes (rule).</li>
<li>Review all existing Cisco Duo policies and ensure that Flash remediation is enabled (&quot;flash_remediation=remediation&quot;) to prevent the exploitation of Flash vulnerabilities.</li>
<li>Enforce a policy of disabling or removing Flash from all endpoints where it is not absolutely necessary.</li>
<li>Investigate any alerts generated by the Sigma rule to determine the intent behind the policy change and whether the administrator account was compromised.</li>
<li>Monitor Cisco Duo activity logs using the <code>cisco_duo_administrator</code> data source for suspicious activity patterns, such as unusual login times or policy changes made outside of normal business hours.</li>
<li>Utilize the Cisco Security Cloud App (referenced in the provided URL) to ingest Cisco Duo activity logs into your SIEM for centralized monitoring and analysis.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>cisco_duo</category><category>policy_change</category><category>outdated_software</category></item></channel></rss>