{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cisco-duo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Insider Threat","Malicious Administrator"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","policy-deletion","insider-threat"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis alert identifies instances where a Cisco Duo administrator deletes more than three policies in a single action. This behavior is detected by analyzing Duo activity logs for the \u003ccode\u003epolicy_bulk_delete\u003c/code\u003e action. The analytic extracts the names of the deleted policies and counts them. If the count exceeds three, the event is flagged as suspicious. This bulk deletion of security policies can indicate malicious activity, such as an attacker or a rogue administrator attempting to weaken or disable security controls, potentially to facilitate unauthorized access or data breaches. Early detection is critical, as the impact could include a significantly reduced security posture and increased risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the Cisco Duo platform, either through compromised credentials or as a rogue insider.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker selects multiple policies (more than three) for deletion.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the bulk deletion action, triggering the \u003ccode\u003epolicy_bulk_delete\u003c/code\u003e event in the Duo activity logs.\u003c/li\u003e\n\u003cli\u003eThe Cisco Duo system processes the deletion requests.\u003c/li\u003e\n\u003cli\u003eThe targeted security policies are removed from the Duo configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker aims to weaken the overall security posture, making it easier to bypass authentication controls in the future.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful bulk policy deletion can severely compromise an organization's security posture. If critical MFA policies are deleted, unauthorized access to sensitive systems and data becomes easier. While specific victim counts are unavailable, the potential scope includes all users and systems protected by the deleted policies. The sectors most at risk are those heavily reliant on Duo for access control, including finance, healthcare, and government. Consequences range from data breaches and financial loss to regulatory penalties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Bulk Policy Deletion\u003c/code\u003e to your SIEM to detect suspicious bulk policy deletions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eCisco Duo Bulk Policy Deletion\u003c/code\u003e rule, focusing on the user account performing the deletions and the specific policies targeted.\u003c/li\u003e\n\u003cli\u003eReview and restrict Duo administrator privileges to minimize the risk of rogue insider activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all Duo administrator accounts to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnable and regularly review audit logs within the Cisco Duo Admin Panel to monitor administrative actions.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo Administrator logs as the source of the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/","summary":"Detection of a Cisco Duo administrator performing a bulk deletion of more than three policies, potentially indicating malicious activity such as weakening security controls.","title":"Cisco Duo Bulk Policy Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bulk-policy-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","account-compromise","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic focuses on identifying suspicious admin logins to Cisco Duo accounts. The core concern is that if a Duo admin logs in from an unexpected geographic location, especially a country outside the United States, it could signal a compromised account or an insider threat. This activity warrants immediate investigation due to the elevated privileges associated with admin accounts. The detection logic analyzes Duo activity logs, specifically looking for \u0026quot;admin_login\u0026quot; events and filtering based on the originating country. The goal is to pinpoint login attempts that deviate from established patterns, which could indicate unauthorized access, potentially leading to a breach of Duo's security configurations and sensitive data. The analytic relies on the Cisco Security Cloud App to ingest Duo logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a Duo admin's credentials, possibly through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to attempt an admin login to the Duo platform.\u003c/li\u003e\n\u003cli\u003eDuo logs the admin login attempt, including the originating IP address and associated geolocation data.\u003c/li\u003e\n\u003cli\u003eThe analytic ingests the Duo activity logs via the Cisco Security Cloud App.\u003c/li\u003e\n\u003cli\u003eThe detection logic identifies the login attempt as originating from a country outside the United States.\u003c/li\u003e\n\u003cli\u003eThe analytic correlates user, device, browser, and location information to confirm the anomalous login.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered, notifying security personnel of the suspicious admin login.\u003c/li\u003e\n\u003cli\u003eThe attacker may then be able to bypass security controls, alter configurations, or exfiltrate sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to complete compromise of the Duo security environment. An attacker with admin access could disable multi-factor authentication for targeted users, bypass security controls, modify security policies, or exfiltrate sensitive user data and configuration details. This could result in a significant data breach and disruption of services for organizations relying on Duo for authentication, potentially impacting thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect unusual admin logins based on geographic location and tune it to exclude known good logins from international travelers.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the validity of the login attempt, correlating the event with other security logs for the user account.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) on all Duo admin accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eIngest Cisco Duo activity logs using the Cisco Security Cloud App (\u003ca href=\"https://splunkbase.splunk.com/app/7404\"\u003ehttps://splunkbase.splunk.com/app/7404\u003c/a\u003e) to enable the detection logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-duo-unusual-admin-login/","summary":"Detection of Cisco Duo admin logins originating from outside the United States indicates potential account compromise or unauthorized access.","title":"Unusual Country for Cisco Duo Admin Login","url":"https://feed.craftedsignal.io/briefs/2024-01-03-duo-unusual-admin-login/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","2fa-bypass","credential-access"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis threat brief addresses the risk associated with unauthorized modification of user status within Cisco Duo, specifically the act of setting a user's status to \u0026quot;Bypass\u0026quot; for 2FA after it was previously \u0026quot;Active\u0026quot;. Such a change significantly weakens the security posture of the affected account and may be indicative of malicious insider activity or account compromise. Attackers or unauthorized administrators could exploit this capability to disable strong authentication controls, thereby increasing the risk of unauthorized access to sensitive systems and data. This activity is detected via the Cisco Duo activity logs. Early detection of such changes is critical for enabling rapid investigation and response, helping to prevent potential breaches and limit the impact of credential-based attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access through compromised credentials or insider access.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to an account capable of modifying Duo user settings.\u003c/li\u003e\n\u003cli\u003eConfiguration Change: The attacker navigates to the Cisco Duo admin panel and modifies the target user's status.\u003c/li\u003e\n\u003cli\u003eUser Status Modification: The attacker changes the user's status from \u0026quot;Active\u0026quot; to \u0026quot;Bypass\u0026quot;, effectively disabling 2FA for that account.\u003c/li\u003e\n\u003cli\u003eAuthentication Bypass: The attacker uses the compromised credentials to authenticate to protected resources without 2FA.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker leverages the access gained to move laterally within the network, accessing additional systems and data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Damage: The attacker exfiltrates sensitive data or causes damage to critical systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of user accounts, enabling attackers to bypass multi-factor authentication and gain unauthorized access to sensitive systems and data. The impact can range from data breaches and financial loss to disruption of critical services. While the exact number of victims is not specified, any organization using Cisco Duo is potentially at risk. The sectors targeted are broad, as Duo is used across various industries to protect access to applications and resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Cisco Duo activity logs to detect unauthorized changes (Cisco Duo Administrator).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect instances where a user's status is changed to \u0026quot;Bypass\u0026quot; after being \u0026quot;Active\u0026quot; (Sigma rule: \u0026quot;Cisco Duo Set User Status to Bypass 2FA\u0026quot;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the user status change.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for all administrative accounts in Cisco Duo.\u003c/li\u003e\n\u003cli\u003eReview and update user access privileges regularly to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bypass/","summary":"Detection of Cisco Duo user status being changed to 'Bypass' after being 'Active', indicating potential malicious activity to weaken account security.","title":"Cisco Duo User 2FA Bypass","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","2fa-bypass","policy-modification"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic focuses on the detection of unauthorized modifications to Cisco Duo policies that could weaken an organization's security. Specifically, it identifies instances where a Duo policy is created or updated to permit access without two-factor authentication (2FA) for users originating from countries outside the default settings. This is significant because attackers or malicious insiders might exploit such policy changes to circumvent strong authentication controls. By monitoring the Duo administrator activity logs for policy creation or update actions where the policy description indicates that access is permitted without 2FA, defenders can quickly identify and respond to potentially malicious behavior. The scope of targeting is any organization utilizing Cisco Duo for multi-factor authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains administrative access to the Cisco Duo administration panel, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new policy or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eWithin the policy configuration, the attacker configures the \u0026quot;user_locations_default_action\u0026quot; setting to \u0026quot;Allow access without 2FA\u0026quot; for specific countries.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the policy changes, which are then logged as a \u003ccode\u003epolicy_update\u003c/code\u003e or \u003ccode\u003epolicy_create\u003c/code\u003e action in the Duo administrator activity logs.\u003c/li\u003e\n\u003cli\u003eUsers from the targeted countries are now able to authenticate to systems protected by Duo without undergoing 2FA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a compromised account originating from one of the allowed countries to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network to access sensitive data or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of this attack includes unauthorized access to sensitive resources, data breaches, and potential lateral movement within the network. The absence of 2FA for specific countries significantly weakens the security posture, making it easier for attackers to compromise accounts and access valuable information. The number of affected users and systems depends on the scope of the policy change and the attacker's objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eCisco Duo Policy Created or Modified to Bypass 2FA\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003euser\u003c/code\u003e and \u003ccode\u003eadmin_email\u003c/code\u003e fields to identify potentially compromised administrator accounts.\u003c/li\u003e\n\u003cli\u003eReview all existing Duo policies to ensure that 2FA is enforced for all users, regardless of their location.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all administrator accounts to prevent unauthorized policy changes.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo Administrator logs for unusual activity patterns.\u003c/li\u003e\n\u003cli\u003eRegularly audit Duo policy configurations to identify and remediate any deviations from the established security baseline.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-2fa-bypass/","summary":"A Duo policy is created or updated to allow access without two-factor authentication (2FA) for users in countries other than the default, potentially weakening the organization's security posture and increasing the risk of unauthorized access.","title":"Cisco Duo Policy Modification to Bypass 2FA for Specific Countries","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-2fa-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["critical"],"_cs_tags":["cisco-duo","2fa-bypass","policy-modification"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis threat involves the modification of Cisco Duo policies to disable or bypass two-factor authentication (2FA). The attack leverages administrative access, either legitimate or compromised, to alter the Duo configuration. This manipulation allows unauthorized access to systems and applications normally protected by 2FA. This activity is identified by analyzing Cisco Duo administrator activity logs for policy changes that set the authentication status to \u0026quot;Allow access without 2FA\u0026quot;. This is a critical issue because it significantly weakens the security posture of an organization, potentially leading to widespread compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Cisco Duo administrator account, either through credential theft, social engineering, or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Cisco Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target policy to modify or creates a new policy.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the policy settings, specifically changing the \u0026quot;Authentication Status\u0026quot; to \u0026quot;Allow access without 2FA.\u0026quot;\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified policy.\u003c/li\u003e\n\u003cli\u003eUsers covered by the modified policy can now access protected applications and systems without completing 2FA.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the lack of 2FA to gain unauthorized access to sensitive systems and data, potentially leading to data exfiltration, system compromise, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass two-factor authentication, a critical security control. This can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. The impact is widespread as any application or system protected by the affected Duo policy becomes vulnerable. The damage can be extensive, depending on the scope of access granted by the bypassed 2FA.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Created Allowing 2FA Bypass\u003c/code\u003e to detect the creation of policies bypassing 2FA and tune for your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Updated Allowing 2FA Bypass\u003c/code\u003e to detect modifications of existing policies bypassing 2FA and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo administrator activity logs for unauthorized or suspicious policy changes as described in the \u0026quot;Overview\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong access controls for Cisco Duo administrator accounts, including multi-factor authentication, as this is the initial access vector.\u003c/li\u003e\n\u003cli\u003eInstall the Cisco Security Cloud App from Splunkbase (\u003ca href=\"https://splunkbase.splunk.com/app/7404\"\u003ehttps://splunkbase.splunk.com/app/7404\u003c/a\u003e) to ensure proper data ingestion from Cisco Duo.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-policy-bypass/","summary":"An attacker modifies Cisco Duo policies to allow access without two-factor authentication (2FA), potentially gaining unauthorized access to systems and data.","title":"Cisco Duo Policy Bypass via 2FA Disablement","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-policy-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","policy-modification","outdated-software"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief addresses the risk associated with modifying Cisco Duo policies to allow the use of outdated Java versions. An attacker, potentially an insider or an external actor who has compromised administrative credentials, weakens the organization's security posture by updating Duo policies to disable Java remediation. The activity is identified by monitoring Cisco Duo administrator activity logs for policy updates or creations where the \u003ccode\u003ejava_remediation\u003c/code\u003e setting is explicitly set to \u003ccode\u003eno remediation\u003c/code\u003e. Allowing outdated Java exposes the organization to numerous security vulnerabilities, increasing the likelihood of successful exploitation. This activity could begin at any time, and defenders should consider the possibility of both malicious insiders and compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise/Insider Threat:\u003c/strong\u003e The attacker gains access to a Cisco Duo administrator account, either through credential compromise or by being a malicious insider.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker authenticates to the Cisco Duo administrative interface using the compromised or authorized account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Enumeration:\u003c/strong\u003e The attacker enumerates existing Duo policies to identify potential targets for modification.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification:\u003c/strong\u003e The attacker modifies a Duo policy, specifically setting the \u003ccode\u003ejava_remediation\u003c/code\u003e attribute to \u003ccode\u003eno remediation\u003c/code\u003e. This disables the enforcement of up-to-date Java requirements for applications protected by the modified policy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Activation:\u003c/strong\u003e The modified policy is activated, allowing users with outdated Java versions to access protected applications without remediation prompts or blocks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation:\u003c/strong\u003e Users with outdated Java versions access protected applications, unknowingly creating an opportunity for attackers to exploit known Java vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Breach:\u003c/strong\u003e If a Java vulnerability is successfully exploited, the attacker may gain unauthorized access to systems, potentially leading to lateral movement within the network and/or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful modification of Cisco Duo policies to allow outdated Java can have severe consequences. Victims can range from individual users to entire organizations. The immediate impact is a weakened security posture, increasing the organization's attack surface. Successful exploitation of Java vulnerabilities can lead to data breaches, system compromise, and potential financial losses. The number of affected users and systems depends on the scope of the modified policies and the prevalence of outdated Java versions within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Allowing Old Java\u003c/code\u003e to detect policy updates that disable Java remediation based on \u003ccode\u003ecisco_duo_administrator\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eCisco Duo Policy Allowing Old Java\u003c/code\u003e Sigma rule, focusing on the user (\u003ccode\u003euser\u003c/code\u003e) and admin email (\u003ccode\u003eadmin_email\u003c/code\u003e) associated with the policy change.\u003c/li\u003e\n\u003cli\u003eReview and enforce multi-factor authentication for all Cisco Duo administrator accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly audit Cisco Duo policies to ensure that Java remediation is enabled and aligned with security best practices.\u003c/li\u003e\n\u003cli\u003eRefer to the Cisco Security Cloud App documentation (\u003ca href=\"https://splunkbase.splunk.com/app/7404\"\u003ehttps://splunkbase.splunk.com/app/7404\u003c/a\u003e) for proper log ingestion from Duo.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/","summary":"A threat actor modifies Cisco Duo policies to permit outdated Java versions, potentially exposing the organization to known vulnerabilities and exploits.","title":"Cisco Duo Policy Allowing Outdated Java Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","account-compromise","unauthorized-access","ttp"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic focuses on identifying unusual administrative login activity within Cisco Duo environments. By monitoring Duo activity logs, it flags login attempts from operating systems that deviate from the norm, excluding common platforms like Mac OS X. The goal is to detect potential credential compromise or unauthorized access by threat actors utilizing unfamiliar devices. This method analyzes admin login actions, filters out logins from expected operating systems, aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. The detection logic specifically looks for deviations from established patterns of administrative access, enabling security operations to quickly identify and respond to potentially malicious activities. This analytic uses data ingested via the Cisco Security Cloud App.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to a valid Duo admin username and password, potentially through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Request:\u003c/strong\u003e The attacker attempts to log in to the Duo admin panel using the compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDuo Authentication:\u003c/strong\u003e Duo prompts the attacker for secondary authentication (e.g., push notification, passcode).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass/Compromise MFA:\u003c/strong\u003e The attacker bypasses or compromises the MFA mechanism, possibly through social engineering, SIM swapping, or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdmin Login:\u003c/strong\u003e The attacker successfully logs in to the Duo admin panel from an operating system not typically used by legitimate administrators.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Once logged in, the attacker might attempt to escalate privileges or modify user permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Changes:\u003c/strong\u003e The attacker could modify Duo policies to weaken security controls or bypass MFA requirements for other users.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses their access to pivot to other systems or applications integrated with Duo.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive Duo configurations, potentially affecting the security of all applications and users protected by Duo. This can lead to widespread compromise, data breaches, and disruption of services. If an attacker successfully compromises a Duo admin account, they could disable MFA for targeted users, add new unauthorized users, or modify security policies to weaken the overall security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect Duo admin logins from unusual operating systems and tune it for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the login attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo activity logs for any suspicious changes to user accounts, policies, or authentication methods using the Cisco Security Cloud App (\u003ca href=\"https://splunkbase.splunk.com/app/7404)\"\u003ehttps://splunkbase.splunk.com/app/7404)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strong MFA policies and educate users about phishing and social engineering attacks.\u003c/li\u003e\n\u003cli\u003eReview and update Duo admin access controls to ensure only authorized personnel have access to administrative functions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-unusual-login/","summary":"Detection of Cisco Duo admin login attempts originating from operating systems not typically used in the environment, potentially indicating account compromise or unauthorized access.","title":"Cisco Duo Admin Login from Unusual Operating System","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-unusual-login/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco Duo"],"_cs_severities":["medium"],"_cs_tags":["cisco-duo","credential-access","anomaly-detection"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic identifies instances of Cisco Duo administrators logging in using a web browser other than Chrome. The assumption is that most administrators within an organization consistently use Chrome, making other browsers anomalous. This detection is based on Cisco Duo activity logs ingested via the Cisco Security Cloud App. The activity logs are filtered for admin login events where the browser used is not Chrome. Detecting deviations from expected administrative access patterns can highlight potential security breaches such as credential compromise, session hijacking, or unauthorized device access. The scope of targeting is organizations using Cisco Duo for multi-factor authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a Duo administrator's credentials through phishing, malware, or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the stolen credentials to initiate a login attempt to the Duo admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a non-standard browser (e.g., Firefox, Safari, Edge) to access the Duo admin login page.\u003c/li\u003e\n\u003cli\u003eDuo activity logs record the admin login attempt, including the browser type, IP address, and geolocation data.\u003c/li\u003e\n\u003cli\u003eThe Splunk analytic identifies the login attempt as anomalous because the browser is not Chrome.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the alert and confirm unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker makes unauthorized changes to security policies, user access, or disables security controls within the Duo admin panel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could result in unauthorized modifications to security policies, user access, or the disabling of critical security controls. This can substantially weaken the organization's security posture, potentially leading to broader system compromises, data breaches, and service disruptions. The impact could range from targeted account takeovers to widespread privilege escalation affecting all users protected by Duo.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Admin Login Unusual Browser\u003c/code\u003e to your SIEM to detect unusual browser usage for admin logins and tune for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eCisco Duo Admin Login Unusual Browser\u003c/code\u003e promptly to determine the legitimacy of the login attempt.\u003c/li\u003e\n\u003cli\u003eReview and reinforce security awareness training to prevent credential theft through phishing or other social engineering attacks.\u003c/li\u003e\n\u003cli\u003eMonitor the Duo activity logs for other suspicious activities, such as logins from unusual locations or at unusual times.\u003c/li\u003e\n\u003cli\u003eEnsure that the Cisco Security Cloud App is properly configured and ingesting Duo activity logs as described in the reference URL.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-unusual-browser/","summary":"Detects Cisco Duo admin logins from browsers other than Chrome, potentially indicating compromised credentials, session hijacking, or unauthorized device usage.","title":"Cisco Duo Admin Login from Unusual Browser","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-unusual-browser/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["medium"],"_cs_tags":["cisco-duo","screen-lock","policy-change"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief focuses on a Splunk detection analytic designed to identify the weakening of security controls within a Cisco Duo environment. Specifically, the analytic detects instances where a Duo policy is created or updated to permit devices without a screen lock requirement. This configuration change can expose organizations to increased security risks, as lost or stolen devices could be more easily compromised. The detection logic searches Cisco Duo administrator activity logs for policy creation or update events, explicitly looking for entries where the 'require_lock' setting is set to false. This activity is flagged because it deviates from a security best practice. This detection is critical for SOC teams, as malicious insiders or external attackers could attempt to lower authentication standards to facilitate unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an administrator account with privileges to modify Duo policies.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Duo Admin Panel using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker either creates a new policy or modifies an existing policy.\u003c/li\u003e\n\u003cli\u003eWithin the policy settings, the attacker modifies the \u0026quot;require_lock\u0026quot; setting to \u0026quot;false,\u0026quot; allowing devices without screen locks to authenticate.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the policy changes.\u003c/li\u003e\n\u003cli\u003eUsers with devices that do not have screen locks are now able to authenticate through Duo.\u003c/li\u003e\n\u003cli\u003eAn attacker exploits a lost or stolen device without a screen lock to gain unauthorized access to protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising Duo security policies to allow devices without screen locks significantly increases the risk of unauthorized access. If successful, this policy change could lead to credential compromise, data breaches, and lateral movement within the network. While the specific number of potential victims or targeted sectors is unknown, any organization using Cisco Duo for authentication is potentially vulnerable. The impact is magnified in environments where mobile devices are heavily used, or where sensitive data is accessed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your specific Cisco Duo environment to detect the policy change activity.\u003c/li\u003e\n\u003cli\u003eReview existing Duo policies to ensure that the \u0026quot;require_lock\u0026quot; setting is enabled for all appropriate policies and user groups.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the Duo administrator activity logs and identifying the user (\u003ccode\u003euser\u003c/code\u003e field in the logs) who made the changes.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo administrator logs (\u003ccode\u003ecisco_duo_administrator\u003c/code\u003e data source) for unauthorized or suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all administrative accounts, including those used to manage Duo policies, to prevent credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-screen-lock-bypass/","summary":"A Splunk detection analytic identifies when a Duo policy is created or updated to allow devices without a screen lock, potentially weakening device security controls and increasing the risk of unauthorized access and data breaches.","title":"Cisco Duo Policy Change to Allow Devices Without Screen Lock","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-screen-lock-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Cisco-Duo","version":"https://jsonfeed.org/version/1.1"}