<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Outdated-Software - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/outdated-software/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/outdated-software/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco Duo Policy Allowing Outdated Java Usage</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-old-java/</guid><description>A threat actor modifies Cisco Duo policies to permit outdated Java versions, potentially exposing the organization to known vulnerabilities and exploits.</description><content:encoded><![CDATA[<p>This brief addresses the risk associated with modifying Cisco Duo policies to allow the use of outdated Java versions. An attacker, potentially an insider or an external actor who has compromised administrative credentials, weakens the organization's security posture by updating Duo policies to disable Java remediation. The activity is identified by monitoring Cisco Duo administrator activity logs for policy updates or creations where the <code>java_remediation</code> setting is explicitly set to <code>no remediation</code>. Allowing outdated Java exposes the organization to numerous security vulnerabilities, increasing the likelihood of successful exploitation. This activity could begin at any time, and defenders should consider the possibility of both malicious insiders and compromised accounts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Credential Compromise/Insider Threat:</strong> The attacker gains access to a Cisco Duo administrator account, either through credential compromise or by being a malicious insider.</li>
<li><strong>Authentication:</strong> The attacker authenticates to the Cisco Duo administrative interface using the compromised or authorized account.</li>
<li><strong>Policy Enumeration:</strong> The attacker enumerates existing Duo policies to identify potential targets for modification.</li>
<li><strong>Policy Modification:</strong> The attacker modifies a Duo policy, specifically setting the <code>java_remediation</code> attribute to <code>no remediation</code>. This disables the enforcement of up-to-date Java requirements for applications protected by the modified policy.</li>
<li><strong>Policy Activation:</strong> The modified policy is activated, allowing users with outdated Java versions to access protected applications without remediation prompts or blocks.</li>
<li><strong>Vulnerability Exploitation:</strong> Users with outdated Java versions access protected applications, unknowingly creating an opportunity for attackers to exploit known Java vulnerabilities.</li>
<li><strong>Lateral Movement/Data Breach:</strong> If a Java vulnerability is successfully exploited, the attacker may gain unauthorized access to systems, potentially leading to lateral movement within the network and/or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful modification of Cisco Duo policies to allow outdated Java can have severe consequences. Victims can range from individual users to entire organizations. The immediate impact is a weakened security posture, increasing the organization's attack surface. Successful exploitation of Java vulnerabilities can lead to data breaches, system compromise, and potential financial losses. The number of affected users and systems depends on the scope of the modified policies and the prevalence of outdated Java versions within the organization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Policy Allowing Old Java</code> to detect policy updates that disable Java remediation based on <code>cisco_duo_administrator</code> logs.</li>
<li>Investigate any alerts generated by the <code>Cisco Duo Policy Allowing Old Java</code> Sigma rule, focusing on the user (<code>user</code>) and admin email (<code>admin_email</code>) associated with the policy change.</li>
<li>Review and enforce multi-factor authentication for all Cisco Duo administrator accounts to mitigate the risk of credential compromise.</li>
<li>Regularly audit Cisco Duo policies to ensure that Java remediation is enabled and aligned with security best practices.</li>
<li>Refer to the Cisco Security Cloud App documentation (<a href="https://splunkbase.splunk.com/app/7404">https://splunkbase.splunk.com/app/7404</a>) for proper log ingestion from Duo.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco-duo</category><category>policy-modification</category><category>outdated-software</category></item></channel></rss>