{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ttp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cisco Duo"],"_cs_severities":["high"],"_cs_tags":["cisco-duo","account-compromise","unauthorized-access","ttp"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eThis analytic focuses on identifying unusual administrative login activity within Cisco Duo environments. By monitoring Duo activity logs, it flags login attempts from operating systems that deviate from the norm, excluding common platforms like Mac OS X. The goal is to detect potential credential compromise or unauthorized access by threat actors utilizing unfamiliar devices. This method analyzes admin login actions, filters out logins from expected operating systems, aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. The detection logic specifically looks for deviations from established patterns of administrative access, enabling security operations to quickly identify and respond to potentially malicious activities. This analytic uses data ingested via the Cisco Security Cloud App.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to a valid Duo admin username and password, potentially through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Request:\u003c/strong\u003e The attacker attempts to log in to the Duo admin panel using the compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDuo Authentication:\u003c/strong\u003e Duo prompts the attacker for secondary authentication (e.g., push notification, passcode).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass/Compromise MFA:\u003c/strong\u003e The attacker bypasses or compromises the MFA mechanism, possibly through social engineering, SIM swapping, or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdmin Login:\u003c/strong\u003e The attacker successfully logs in to the Duo admin panel from an operating system not typically used by legitimate administrators.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Once logged in, the attacker might attempt to escalate privileges or modify user permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Changes:\u003c/strong\u003e The attacker could modify Duo policies to weaken security controls or bypass MFA requirements for other users.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses their access to pivot to other systems or applications integrated with Duo.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive Duo configurations, potentially affecting the security of all applications and users protected by Duo. This can lead to widespread compromise, data breaches, and disruption of services. If an attacker successfully compromises a Duo admin account, they could disable MFA for targeted users, add new unauthorized users, or modify security policies to weaken the overall security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect Duo admin logins from unusual operating systems and tune it for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the login attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Cisco Duo activity logs for any suspicious changes to user accounts, policies, or authentication methods using the Cisco Security Cloud App (\u003ca href=\"https://splunkbase.splunk.com/app/7404)\"\u003ehttps://splunkbase.splunk.com/app/7404)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strong MFA policies and educate users about phishing and social engineering attacks.\u003c/li\u003e\n\u003cli\u003eReview and update Duo admin access controls to ensure only authorized personnel have access to administrative functions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-unusual-login/","summary":"Detection of Cisco Duo admin login attempts originating from operating systems not typically used in the environment, potentially indicating account compromise or unauthorized access.","title":"Cisco Duo Admin Login from Unusual Operating System","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-duo-unusual-login/"}],"language":"en","title":"CraftedSignal Threat Feed - Ttp","version":"https://jsonfeed.org/version/1.1"}