Posted on Leave a comment

When big companies act dumb – Sorry, but Cisco’s Duo multifactor-authentication exploit was just plain, old stupid programming.

Konik The Horse Fun Stupid Mina Pet Funny Teeth 290907

Reports are emerging that Russian state-sponsored cyber actors are taking advantage of an astoundingly stupid default configuration for Cisco’s Duo multifactor authentication (MFA) protocols. The Ruskies have been able to use Cisco’s mistake to register new devices for MFA and yep, access the victim’s network where they do all sorts of nasty things.

The cyber attackers first accessed the victim’s network through brute-force password guessing. They found a hit on an old account that had not been disabled in Active Directory and burst through the doors. Next, they used the compromised account to disable Cisco’s MFA corporate-wide. How, you ask? Cisco’s default configuration for Duo MFA is ludicrously, to “fail open”, which means if the MFA server cannot be contacted, MFA goes ahead and lets the login continue. The cyber attackers were able to ensure the Cisco MFA server could not be contacted with one simple change.

Most programmers are familiar with the Windows hosts file. It’s found on all Windows systems and can be edited to add host entries that override the normal DNS lookup facility. Yep, you guessed it. The hackers edited the Windows hosts file (C:\windows\system32\drivers\etc\hosts) and added an entry for the Duo MFA calls that simply redirected the the lookup to localhost instead. It looks like this:

This of course, prevented MFA from contacting the server to validate the MFA login and since the default option out-of-the-box was for some goofy reason, to fail open, MFA was effectively disabled across the entire organization.

According to sources, the exploit has been running since May 2021. Check your MFA configurations and make sure you protect against “fail open”.