{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cisco_duo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco_duo","policy_change","tampered_devices","rooted_devices","identity"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic detects when a Duo policy is created or updated to allow tampered or rooted devices (e.g., jailbroken smartphones) to access protected resources. The detection focuses on changes to Duo policies where the \u003ccode\u003eallow_rooted_devices\u003c/code\u003e setting is enabled. The activity is identified through the examination of Cisco Duo administrator activity logs. This poses a significant security risk because tampered devices can bypass security controls, run unauthorized software, and become more susceptible to compromise. The ability to modify these settings can be indicative of a misconfiguration or a malicious attempt to weaken authentication requirements, potentially granting attackers access to sensitive systems using compromised devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to an administrative account within the Cisco Duo environment.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Policies section within the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing policy or creates a new policy.\u003c/li\u003e\n\u003cli\u003eDuring policy creation or modification, the attacker enables the \u0026quot;Allow rooted devices\u0026quot; setting, which is represented as \u003ccode\u003eallow_rooted_devices=true\u003c/code\u003e in the policy description.\u003c/li\u003e\n\u003cli\u003eThe Duo Admin Panel logs the policy creation or update event in the administrator activity logs.\u003c/li\u003e\n\u003cli\u003eTampered devices are now able to authenticate via Duo and access protected resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the circumvention of security controls on tampered devices, unauthorized access to sensitive systems, data breaches, and potential lateral movement within the network. Organizations relying on Duo for multi-factor authentication may experience a significant degradation in their security posture if this policy is enabled, potentially affecting thousands of users and devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Allowing Tampered Devices\u003c/code\u003e to detect the creation or modification of Duo policies allowing tampered devices by monitoring the Duo administrator activity logs.\u003c/li\u003e\n\u003cli\u003eReview and audit existing Duo policies to identify any unintentional or malicious configurations allowing tampered devices.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003eCisco Duo Administrator\u003c/code\u003e logs for suspicious activity, especially related to policy changes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule and remediate by reverting the policy change.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-tampered-devices/","summary":"A threat actor modifies or creates a Cisco Duo policy to allow tampered or rooted devices to access protected resources, potentially bypassing security controls and enabling unauthorized access.","title":"Cisco Duo Policy Allowing Tampered Devices","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-tampered-devices/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco Duo","Adobe Flash"],"_cs_severities":["medium"],"_cs_tags":["cisco_duo","policy_change","outdated_software"],"_cs_type":"advisory","_cs_vendors":["Cisco","Adobe"],"content_html":"\u003cp\u003eThis threat brief focuses on the potential weakening of security controls within Cisco Duo environments. Specifically, it addresses the scenario where a Duo administrator modifies or creates a policy to permit the use of outdated Adobe Flash components. This is identified through Duo activity logs by detecting policy changes with the attribute \u0026quot;flash_remediation=no remediation\u0026quot;. The scope of this threat involves any organization using Cisco Duo for multi-factor authentication and where Flash-based applications or services are still in use, despite Flash reaching end-of-life. This policy change can significantly broaden the attack surface, as outdated Flash versions are riddled with known security vulnerabilities. Attackers may exploit these weaknesses to bypass authentication controls, potentially leading to unauthorized access, malware deployment, or privilege escalation. Defenders should be aware of this as it can undermine the overall security posture of the organization and lead to compliance violations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Cisco Duo administrator's account through compromised credentials or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the Cisco Duo Admin Panel with the compromised administrator account.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the \u0026quot;Policies\u0026quot; section of the Duo Admin Panel.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing policy or creates a new policy to allow the use of outdated Flash components by setting \u0026quot;flash_remediation=no remediation\u0026quot;.\u003c/li\u003e\n\u003cli\u003eThe policy change is saved, and the updated configuration is applied to the targeted users or applications.\u003c/li\u003e\n\u003cli\u003eA user with an outdated Flash version attempts to authenticate through Duo.\u003c/li\u003e\n\u003cli\u003eDue to the modified policy, the user is granted access despite the outdated Flash version.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the Flash vulnerability on the user's system to execute malicious code, potentially leading to data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging a policy allowing outdated Flash in Cisco Duo can lead to several negative consequences. Attackers can bypass multi-factor authentication, gaining unauthorized access to sensitive systems and data. Depending on the targeted systems, this could result in data breaches, financial losses, and reputational damage. The impact is especially significant for organizations in regulated industries that require strict adherence to security compliance standards. The number of potential victims depends on the scope of the vulnerable policy and the number of users still relying on outdated Flash components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Allowing Outdated Flash\u003c/code\u003e to detect instances where Duo administrators create or update policies to allow outdated Flash versions. This will provide real-time alerting of potentially malicious policy changes (rule).\u003c/li\u003e\n\u003cli\u003eReview all existing Cisco Duo policies and ensure that Flash remediation is enabled (\u0026quot;flash_remediation=remediation\u0026quot;) to prevent the exploitation of Flash vulnerabilities.\u003c/li\u003e\n\u003cli\u003eEnforce a policy of disabling or removing Flash from all endpoints where it is not absolutely necessary.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the intent behind the policy change and whether the administrator account was compromised.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo activity logs using the \u003ccode\u003ecisco_duo_administrator\u003c/code\u003e data source for suspicious activity patterns, such as unusual login times or policy changes made outside of normal business hours.\u003c/li\u003e\n\u003cli\u003eUtilize the Cisco Security Cloud App (referenced in the provided URL) to ingest Cisco Duo activity logs into your SIEM for centralized monitoring and analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-duo-old-flash/","summary":"A Cisco Duo administrator may create or update a policy to allow the use of outdated Flash components, potentially increasing the attack surface by allowing exploitation of Flash vulnerabilities.","title":"Cisco Duo Policy Allowing Outdated Flash Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-02-cisco-duo-old-flash/"}],"language":"en","title":"CraftedSignal Threat Feed - Cisco_duo","version":"https://jsonfeed.org/version/1.1"}