<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tampered_devices - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/tampered_devices/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/tampered_devices/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cisco Duo Policy Allowing Tampered Devices</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-tampered-devices/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-cisco-duo-tampered-devices/</guid><description>A threat actor modifies or creates a Cisco Duo policy to allow tampered or rooted devices to access protected resources, potentially bypassing security controls and enabling unauthorized access.</description><content:encoded><![CDATA[<p>This analytic detects when a Duo policy is created or updated to allow tampered or rooted devices (e.g., jailbroken smartphones) to access protected resources. The detection focuses on changes to Duo policies where the <code>allow_rooted_devices</code> setting is enabled. The activity is identified through the examination of Cisco Duo administrator activity logs. This poses a significant security risk because tampered devices can bypass security controls, run unauthorized software, and become more susceptible to compromise. The ability to modify these settings can be indicative of a misconfiguration or a malicious attempt to weaken authentication requirements, potentially granting attackers access to sensitive systems using compromised devices.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains access to an administrative account within the Cisco Duo environment.</li>
<li>The attacker authenticates to the Duo Admin Panel.</li>
<li>The attacker navigates to the Policies section within the Duo Admin Panel.</li>
<li>The attacker modifies an existing policy or creates a new policy.</li>
<li>During policy creation or modification, the attacker enables the &quot;Allow rooted devices&quot; setting, which is represented as <code>allow_rooted_devices=true</code> in the policy description.</li>
<li>The Duo Admin Panel logs the policy creation or update event in the administrator activity logs.</li>
<li>Tampered devices are now able to authenticate via Duo and access protected resources.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can lead to the circumvention of security controls on tampered devices, unauthorized access to sensitive systems, data breaches, and potential lateral movement within the network. Organizations relying on Duo for multi-factor authentication may experience a significant degradation in their security posture if this policy is enabled, potentially affecting thousands of users and devices.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Cisco Duo Policy Allowing Tampered Devices</code> to detect the creation or modification of Duo policies allowing tampered devices by monitoring the Duo administrator activity logs.</li>
<li>Review and audit existing Duo policies to identify any unintentional or malicious configurations allowing tampered devices.</li>
<li>Monitor the <code>Cisco Duo Administrator</code> logs for suspicious activity, especially related to policy changes.</li>
<li>Investigate any alerts triggered by the Sigma rule and remediate by reverting the policy change.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>cisco_duo</category><category>policy_change</category><category>tampered_devices</category><category>rooted_devices</category><category>identity</category></item></channel></rss>