{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/duo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Insider Threat","Malicious Administrator"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","policy-deletion","insider-threat"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis alert identifies instances where a Cisco Duo administrator deletes more than three policies in a single action. This behavior is detected by analyzing Duo activity logs for the \u003ccode\u003epolicy_bulk_delete\u003c/code\u003e action. The analytic extracts the names of the deleted policies and counts them. If the count exceeds three, the event is flagged as suspicious. This bulk deletion of security policies can indicate malicious activity, such as an attacker or a rogue administrator attempting to weaken or disable security controls, potentially to facilitate unauthorized access or data breaches. Early detection is critical, as the impact could include a significantly reduced security posture and increased risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the Cisco Duo platform, either through compromised credentials or as a rogue insider.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker selects multiple policies (more than three) for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the bulk deletion action, triggering the \u003ccode\u003epolicy_bulk_delete\u003c/code\u003e event in the Duo activity logs.\u003c/li\u003e\n\u003cli\u003eThe Cisco Duo system processes the deletion requests.\u003c/li\u003e\n\u003cli\u003eThe targeted security policies are removed from the Duo configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker aims to weaken the overall security posture, making it easier to bypass authentication controls in the future.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful bulk policy deletion can severely compromise an organization's security posture. If critical MFA policies are deleted, unauthorized access to sensitive systems and data becomes easier. While specific victim counts are unavailable, the potential scope includes all users and systems protected by the deleted policies. The sectors most at risk are those heavily reliant on Duo for access control, including finance, healthcare, and government. Consequences range from data breaches and financial loss to regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Bulk Policy Deletion\u003c/code\u003e to your SIEM to detect suspicious bulk policy deletions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eCisco Duo Bulk Policy Deletion\u003c/code\u003e rule, focusing on the user account performing the deletions and the specific policies targeted.\u003c/li\u003e\n\u003cli\u003eReview and restrict Duo administrator privileges to minimize the risk of rogue insider activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all Duo administrator accounts to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnable and regularly review audit logs within the Cisco Duo Admin Panel to monitor administrative actions.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo Administrator logs as the source of the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/","summary":"Detection of a Cisco Duo administrator performing a bulk deletion of more than three policies, potentially indicating malicious activity such as weakening security controls.","title":"Cisco Duo Bulk Policy Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","account-compromise","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic focuses on identifying suspicious admin logins to Cisco Duo accounts. The core concern is that if a Duo admin logs in from an unexpected geographic location, especially a country outside the United States, it could signal a compromised account or an insider threat. This activity warrants immediate investigation due to the elevated privileges associated with admin accounts. The detection logic analyzes Duo activity logs, specifically looking for \u0026quot;admin_login\u0026quot; events and filtering based on the originating country. The goal is to pinpoint login attempts that deviate from established patterns, which could indicate unauthorized access, potentially leading to a breach of Duo's security configurations and sensitive data. The analytic relies on the Cisco Security Cloud App to ingest Duo logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a Duo admin's credentials, possibly through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to attempt an admin login to the Duo platform.\u003c/li\u003e\n\u003cli\u003eDuo logs the admin login attempt, including the originating IP address and associated geolocation data.\u003c/li\u003e\n\u003cli\u003eThe analytic ingests the Duo activity logs via the Cisco Security Cloud App.\u003c/li\u003e\n\u003cli\u003eThe detection logic identifies the login attempt as originating from a country outside the United States.\u003c/li\u003e\n\u003cli\u003eThe analytic correlates user, device, browser, and location information to confirm the anomalous login.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered, notifying security personnel of the suspicious admin login.\u003c/li\u003e\n\u003cli\u003eThe attacker may then be able to bypass security controls, alter configurations, or exfiltrate sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to complete compromise of the Duo security environment. An attacker with admin access could disable multi-factor authentication for targeted users, bypass security controls, modify security policies, or exfiltrate sensitive user data and configuration details. This could result in a significant data breach and disruption of services for organizations relying on Duo for authentication, potentially impacting thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect unusual admin logins based on geographic location and tune it to exclude known good logins from international travelers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the validity of the login attempt, correlating the event with other security logs for the user account.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) on all Duo admin accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eIngest Cisco Duo activity logs using the Cisco Security Cloud App (\u003ca href=\"https://splunkbase.splunk.com/app/7404\"\u003ehttps://splunkbase.splunk.com/app/7404\u003c/a\u003e) to enable the detection logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-duo-unusual-admin-login/","summary":"Detection of Cisco Duo admin logins originating from outside the United States indicates potential account compromise or unauthorized access.","title":"Unusual Country for Cisco Duo Admin Login","url":"https://feed.craftedsignal.io/briefs/2024-01-03-duo-unusual-admin-login/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","2fa-bypass","credential-access"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis threat brief addresses the risk associated with unauthorized modification of user status within Cisco Duo, specifically the act of setting a user's status to \u0026quot;Bypass\u0026quot; for 2FA after it was previously \u0026quot;Active\u0026quot;. Such a change significantly weakens the security posture of the affected account and may be indicative of malicious insider activity or account compromise. Attackers or unauthorized administrators could exploit this capability to disable strong authentication controls, thereby increasing the risk of unauthorized access to sensitive systems and data. This activity is detected via the Cisco Duo activity logs. Early detection of such changes is critical for enabling rapid investigation and response, helping to prevent potential breaches and limit the impact of credential-based attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to an account capable of modifying Duo user settings.\u003c/li\u003e\n\u003cli\u003eConfiguration Change: The attacker navigates to the Cisco Duo admin panel and modifies the target user's status.\u003c/li\u003e\n\u003cli\u003eUser Status Modification: The attacker changes the user's status from \u0026quot;Active\u0026quot; to \u0026quot;Bypass\u0026quot;, effectively disabling 2FA for that account.\u003c/li\u003e\n\u003cli\u003eAuthentication Bypass: The attacker uses the compromised credentials to authenticate to protected resources without 2FA.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker leverages the access gained to move laterally within the network, accessing additional systems and data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Damage: The attacker exfiltrates sensitive data or causes damage to critical systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of user accounts, enabling attackers to bypass multi-factor authentication and gain unauthorized access to sensitive systems and data. The impact can range from data breaches and financial loss to disruption of critical services. While the exact number of victims is not specified, any organization using Cisco Duo is potentially at risk. The sectors targeted are broad, as Duo is used across various industries to protect access to applications and resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Cisco Duo activity logs to detect unauthorized changes (Cisco Duo Administrator).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances where a user's status is changed to \u0026quot;Bypass\u0026quot; after being \u0026quot;Active\u0026quot; (Sigma rule: \u0026quot;Cisco Duo Set User Status to Bypass 2FA\u0026quot;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the user status change.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for all administrative accounts in Cisco Duo.\u003c/li\u003e\n\u003cli\u003eReview and update user access privileges regularly to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bypass/","summary":"Detection of Cisco Duo user status being changed to 'Bypass' after being 'Active', indicating potential malicious activity to weaken account security.","title":"Cisco Duo User 2FA Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","2fa-bypass","policy-modification"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic focuses on the detection of unauthorized modifications to Cisco Duo policies that could weaken an organization's security. Specifically, it identifies instances where a Duo policy is created or updated to permit access without two-factor authentication (2FA) for users originating from countries outside the default settings. This is significant because attackers or malicious insiders might exploit such policy changes to circumvent strong authentication controls. By monitoring the Duo administrator activity logs for policy creation or update actions where the policy description indicates that access is permitted without 2FA, defenders can quickly identify and respond to potentially malicious behavior. The scope of targeting is any organization utilizing Cisco Duo for multi-factor authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the Cisco Duo administration panel, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new policy or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eWithin the policy configuration, the attacker configures the \u0026quot;user_locations_default_action\u0026quot; setting to \u0026quot;Allow access without 2FA\u0026quot; for specific countries.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the policy changes, which are then logged as a \u003ccode\u003epolicy_update\u003c/code\u003e or \u003ccode\u003epolicy_create\u003c/code\u003e action in the Duo administrator activity logs.\u003c/li\u003e\n\u003cli\u003eUsers from the targeted countries are now able to authenticate to systems protected by Duo without undergoing 2FA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a compromised account originating from one of the allowed countries to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network to access sensitive data or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this attack includes unauthorized access to sensitive resources, data breaches, and potential lateral movement within the network. The absence of 2FA for specific countries significantly weakens the security posture, making it easier for attackers to compromise accounts and access valuable information. The number of affected users and systems depends on the scope of the policy change and the attacker's objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eCisco Duo Policy Created or Modified to Bypass 2FA\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003euser\u003c/code\u003e and \u003ccode\u003eadmin_email\u003c/code\u003e fields to identify potentially compromised administrator accounts.\u003c/li\u003e\n\u003cli\u003eReview all existing Duo policies to ensure that 2FA is enforced for all users, regardless of their location.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all administrator accounts to prevent unauthorized policy changes.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo Administrator logs for unusual activity patterns.\u003c/li\u003e\n\u003cli\u003eRegularly audit Duo policy configurations to identify and remediate any deviations from the established security baseline.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-2fa-bypass/","summary":"A Duo policy is created or updated to allow access without two-factor authentication (2FA) for users in countries other than the default, potentially weakening the organization's security posture and increasing the risk of unauthorized access.","title":"Cisco Duo Policy Modification to Bypass 2FA for Specific Countries","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-2fa-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["critical"],"_cs_tags":["cisco-duo","2fa-bypass","policy-modification"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis threat involves the modification of Cisco Duo policies to disable or bypass two-factor authentication (2FA). The attack leverages administrative access, either legitimate or compromised, to alter the Duo configuration. This manipulation allows unauthorized access to systems and applications normally protected by 2FA. This activity is identified by analyzing Cisco Duo administrator activity logs for policy changes that set the authentication status to \u0026quot;Allow access without 2FA\u0026quot;. This is a critical issue because it significantly weakens the security posture of an organization, potentially leading to widespread compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Cisco Duo administrator account, either through credential theft, social engineering, or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Cisco Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target policy to modify or creates a new policy.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the policy settings, specifically changing the \u0026quot;Authentication Status\u0026quot; to \u0026quot;Allow access without 2FA.\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified policy.\u003c/li\u003e\n\u003cli\u003eUsers covered by the modified policy can now access protected applications and systems without completing 2FA.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the lack of 2FA to gain unauthorized access to sensitive systems and data, potentially leading to data exfiltration, system compromise, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass two-factor authentication, a critical security control. This can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. The impact is widespread as any application or system protected by the affected Duo policy becomes vulnerable. The damage can be extensive, depending on the scope of access granted by the bypassed 2FA.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Created Allowing 2FA Bypass\u003c/code\u003e to detect the creation of policies bypassing 2FA and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Updated Allowing 2FA Bypass\u003c/code\u003e to detect modifications of existing policies bypassing 2FA and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo administrator activity logs for unauthorized or suspicious policy changes as described in the \u0026quot;Overview\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong access controls for Cisco Duo administrator accounts, including multi-factor authentication, as this is the initial access vector.\u003c/li\u003e\n\u003cli\u003eInstall the Cisco Security Cloud App from Splunkbase (\u003ca href=\"https://splunkbase.splunk.com/app/7404\"\u003ehttps://splunkbase.splunk.com/app/7404\u003c/a\u003e) to ensure proper data ingestion from Cisco Duo.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-policy-bypass/","summary":"An attacker modifies Cisco Duo policies to allow access without two-factor authentication (2FA), potentially gaining unauthorized access to systems and data.","title":"Cisco Duo Policy Bypass via 2FA Disablement","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-policy-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco_duo","policy_change","tampered_devices","rooted_devices","identity"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic detects when a Duo policy is created or updated to allow tampered or rooted devices (e.g., jailbroken smartphones) to access protected resources. The detection focuses on changes to Duo policies where the \u003ccode\u003eallow_rooted_devices\u003c/code\u003e setting is enabled. The activity is identified through the examination of Cisco Duo administrator activity logs. This poses a significant security risk because tampered devices can bypass security controls, run unauthorized software, and become more susceptible to compromise. The ability to modify these settings can be indicative of a misconfiguration or a malicious attempt to weaken authentication requirements, potentially granting attackers access to sensitive systems using compromised devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an administrative account within the Cisco Duo environment.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Policies section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing policy or creates a new policy.\u003c/li\u003e\n\u003cli\u003eDuring policy creation or modification, the attacker enables the \u0026quot;Allow rooted devices\u0026quot; setting, which is represented as \u003ccode\u003eallow_rooted_devices=true\u003c/code\u003e in the policy description.\u003c/li\u003e\n\u003cli\u003eThe Duo Admin Panel logs the policy creation or update event in the administrator activity logs.\u003c/li\u003e\n\u003cli\u003eTampered devices are now able to authenticate via Duo and access protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the circumvention of security controls on tampered devices, unauthorized access to sensitive systems, data breaches, and potential lateral movement within the network. Organizations relying on Duo for multi-factor authentication may experience a significant degradation in their security posture if this policy is enabled, potentially affecting thousands of users and devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Allowing Tampered Devices\u003c/code\u003e to detect the creation or modification of Duo policies allowing tampered devices by monitoring the Duo administrator activity logs.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Duo policies to identify any unintentional or malicious configurations allowing tampered devices.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eCisco Duo Administrator\u003c/code\u003e logs for suspicious activity, especially related to policy changes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and remediate by reverting the policy change.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-tampered-devices/","summary":"A threat actor modifies or creates a Cisco Duo policy to allow tampered or rooted devices to access protected resources, potentially bypassing security controls and enabling unauthorized access.","title":"Cisco Duo Policy Allowing Tampered Devices","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-tampered-devices/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","policy-modification","outdated-software"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief addresses the risk associated with modifying Cisco Duo policies to allow the use of outdated Java versions. An attacker, potentially an insider or an external actor who has compromised administrative credentials, weakens the organization's security posture by updating Duo policies to disable Java remediation. The activity is identified by monitoring Cisco Duo administrator activity logs for policy updates or creations where the \u003ccode\u003ejava_remediation\u003c/code\u003e setting is explicitly set to \u003ccode\u003eno remediation\u003c/code\u003e. Allowing outdated Java exposes the organization to numerous security vulnerabilities, increasing the likelihood of successful exploitation. This activity could begin at any time, and defenders should consider the possibility of both malicious insiders and compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise/Insider Threat:\u003c/strong\u003e The attacker gains access to a Cisco Duo administrator account, either through credential compromise or by being a malicious insider.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker authenticates to the Cisco Duo administrative interface using the compromised or authorized account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Enumeration:\u003c/strong\u003e The attacker enumerates existing Duo policies to identify potential targets for modification.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification:\u003c/strong\u003e The attacker modifies a Duo policy, specifically setting the \u003ccode\u003ejava_remediation\u003c/code\u003e attribute to \u003ccode\u003eno remediation\u003c/code\u003e. This disables the enforcement of up-to-date Java requirements for applications protected by the modified policy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Activation:\u003c/strong\u003e The modified policy is activated, allowing users with outdated Java versions to access protected applications without remediation prompts or blocks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation:\u003c/strong\u003e Users with outdated Java versions access protected applications, unknowingly creating an opportunity for attackers to exploit known Java vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Breach:\u003c/strong\u003e If a Java vulnerability is successfully exploited, the attacker may gain unauthorized access to systems, potentially leading to lateral movement within the network and/or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful modification of Cisco Duo policies to allow outdated Java can have severe consequences. Victims can range from individual users to entire organizations. The immediate impact is a weakened security posture, increasing the organization's attack surface. Successful exploitation of Java vulnerabilities can lead to data breaches, system compromise, and potential financial losses. The number of affected users and systems depends on the scope of the modified policies and the prevalence of outdated Java versions within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Allowing Old Java\u003c/code\u003e to detect policy updates that disable Java remediation based on \u003ccode\u003ecisco_duo_administrator\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eCisco Duo Policy Allowing Old Java\u003c/code\u003e Sigma rule, focusing on the user (\u003ccode\u003euser\u003c/code\u003e) and admin email (\u003ccode\u003eadmin_email\u003c/code\u003e) associated with the policy change.\u003c/li\u003e\n\u003cli\u003eReview and enforce multi-factor authentication for all Cisco Duo administrator accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly audit Cisco Duo policies to ensure that Java remediation is enabled and aligned with security best practices.\u003c/li\u003e\n\u003cli\u003eRefer to the Cisco Security Cloud App documentation (\u003ca href=\"https://splunkbase.splunk.com/app/7404\"\u003ehttps://splunkbase.splunk.com/app/7404\u003c/a\u003e) for proper log ingestion from Duo.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/","summary":"A threat actor modifies Cisco Duo policies to permit outdated Java versions, potentially exposing the organization to known vulnerabilities and exploits.","title":"Cisco Duo Policy Allowing Outdated Java Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["medium"],"_cs_tags":["cisco-duo","screen-lock","policy-change"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief focuses on a Splunk detection analytic designed to identify the weakening of security controls within a Cisco Duo environment. Specifically, the analytic detects instances where a Duo policy is created or updated to permit devices without a screen lock requirement. This configuration change can expose organizations to increased security risks, as lost or stolen devices could be more easily compromised. The detection logic searches Cisco Duo administrator activity logs for policy creation or update events, explicitly looking for entries where the 'require_lock' setting is set to false. This activity is flagged because it deviates from a security best practice. This detection is critical for SOC teams, as malicious insiders or external attackers could attempt to lower authentication standards to facilitate unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an administrator account with privileges to modify Duo policies.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Duo Admin Panel using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker either creates a new policy or modifies an existing policy.\u003c/li\u003e\n\u003cli\u003eWithin the policy settings, the attacker modifies the \u0026quot;require_lock\u0026quot; setting to \u0026quot;false,\u0026quot; allowing devices without screen locks to authenticate.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the policy changes.\u003c/li\u003e\n\u003cli\u003eUsers with devices that do not have screen locks are now able to authenticate through Duo.\u003c/li\u003e\n\u003cli\u003eAn attacker exploits a lost or stolen device without a screen lock to gain unauthorized access to protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising Duo security policies to allow devices without screen locks significantly increases the risk of unauthorized access. If successful, this policy change could lead to credential compromise, data breaches, and lateral movement within the network. While the specific number of potential victims or targeted sectors is unknown, any organization using Cisco Duo for authentication is potentially vulnerable. The impact is magnified in environments where mobile devices are heavily used, or where sensitive data is accessed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your specific Cisco Duo environment to detect the policy change activity.\u003c/li\u003e\n\u003cli\u003eReview existing Duo policies to ensure that the \u0026quot;require_lock\u0026quot; setting is enabled for all appropriate policies and user groups.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the Duo administrator activity logs and identifying the user (\u003ccode\u003euser\u003c/code\u003e field in the logs) who made the changes.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo administrator logs (\u003ccode\u003ecisco_duo_administrator\u003c/code\u003e data source) for unauthorized or suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all administrative accounts, including those used to manage Duo policies, to prevent credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-screen-lock-bypass/","summary":"A Splunk detection analytic identifies when a Duo policy is created or updated to allow devices without a screen lock, potentially weakening device security controls and increasing the risk of unauthorized access and data breaches.","title":"Cisco Duo Policy Change to Allow Devices Without Screen Lock","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-screen-lock-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Duo","version":"https://jsonfeed.org/version/1.1"}