{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/outdated-software/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","policy-modification","outdated-software"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis brief addresses the risk associated with modifying Cisco Duo policies to allow the use of outdated Java versions. An attacker, potentially an insider or an external actor who has compromised administrative credentials, weakens the organization's security posture by updating Duo policies to disable Java remediation. The activity is identified by monitoring Cisco Duo administrator activity logs for policy updates or creations where the \u003ccode\u003ejava_remediation\u003c/code\u003e setting is explicitly set to \u003ccode\u003eno remediation\u003c/code\u003e. Allowing outdated Java exposes the organization to numerous security vulnerabilities, increasing the likelihood of successful exploitation. This activity could begin at any time, and defenders should consider the possibility of both malicious insiders and compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise/Insider Threat:\u003c/strong\u003e The attacker gains access to a Cisco Duo administrator account, either through credential compromise or by being a malicious insider.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker authenticates to the Cisco Duo administrative interface using the compromised or authorized account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Enumeration:\u003c/strong\u003e The attacker enumerates existing Duo policies to identify potential targets for modification.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification:\u003c/strong\u003e The attacker modifies a Duo policy, specifically setting the \u003ccode\u003ejava_remediation\u003c/code\u003e attribute to \u003ccode\u003eno remediation\u003c/code\u003e. This disables the enforcement of up-to-date Java requirements for applications protected by the modified policy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Activation:\u003c/strong\u003e The modified policy is activated, allowing users with outdated Java versions to access protected applications without remediation prompts or blocks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation:\u003c/strong\u003e Users with outdated Java versions access protected applications, unknowingly creating an opportunity for attackers to exploit known Java vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Breach:\u003c/strong\u003e If a Java vulnerability is successfully exploited, the attacker may gain unauthorized access to systems, potentially leading to lateral movement within the network and/or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful modification of Cisco Duo policies to allow outdated Java can have severe consequences. Victims can range from individual users to entire organizations. The immediate impact is a weakened security posture, increasing the organization's attack surface. Successful exploitation of Java vulnerabilities can lead to data breaches, system compromise, and potential financial losses. The number of affected users and systems depends on the scope of the modified policies and the prevalence of outdated Java versions within the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCisco Duo Policy Allowing Old Java\u003c/code\u003e to detect policy updates that disable Java remediation based on \u003ccode\u003ecisco_duo_administrator\u003c/code\u003e logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eCisco Duo Policy Allowing Old Java\u003c/code\u003e Sigma rule, focusing on the user (\u003ccode\u003euser\u003c/code\u003e) and admin email (\u003ccode\u003eadmin_email\u003c/code\u003e) associated with the policy change.\u003c/li\u003e\n\u003cli\u003eReview and enforce multi-factor authentication for all Cisco Duo administrator accounts to mitigate the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly audit Cisco Duo policies to ensure that Java remediation is enabled and aligned with security best practices.\u003c/li\u003e\n\u003cli\u003eRefer to the Cisco Security Cloud App documentation (\u003ca href=\"https://splunkbase.splunk.com/app/7404\"\u003ehttps://splunkbase.splunk.com/app/7404\u003c/a\u003e) for proper log ingestion from Duo.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/","summary":"A threat actor modifies Cisco Duo policies to permit outdated Java versions, potentially exposing the organization to known vulnerabilities and exploits.","title":"Cisco Duo Policy Allowing Outdated Java Usage","url":"https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/"}],"language":"en","title":"CraftedSignal Threat Feed - Outdated-Software","version":"https://jsonfeed.org/version/1.1"}