ElevateIT Minneapolis Technology Summit 2024
Discover the latest innovations in technology at the Annual ElevateIT: Minneapolis Technology Summit 2024. Join us on July 19th for engaging sessions on cloud computing, data analytics, and AI.
Explore the latest cybersecurity emerging trends including advancements in artificial intelligence, cloud security, zero-trust, and IoT security.
Discover the latest innovations in technology at the Annual ElevateIT: Minneapolis Technology Summit 2024. Join us on July 19th for engaging sessions on cloud computing, data analytics, and AI.
Get ready for XChange Security 2024 in Dallas, TX. Join us to gain essential market intelligence, connect with industry experts, and strengthen your security capabilities.
Stay ahead of cyber threats with actionable strategies. Join the webinar to learn from real-life examples and receive the Cyber Threat Insights 2024 Volume II report.
Join Adlumin during AWS re:Inforce at Booth #810. This event offers an engaging cloud security learning experience tailored for the generative AI era.
Don’t miss out on AWS re:Inforce. Stop by and see how Adlumin can enhance your organization’s security posture.
Dates: June 10-12, 2024
Location: Philadelphia, PA
Booth #: 810
Contact: marketingevents@adlumin.com
Join Adlumin at the Rocky Mountain Information Security Conference (RMISC) for an immersive experience in cybersecurity excellence. Dive into cutting-edge content, with insights on the latest trends, technologies, and best practices shaping the industry’s future. Learn from world-class speakers, gain invaluable knowledge, and network with peers and potential collaborators from around the globe.
Stay ahead of the curve with access to sponsor exhibits showcasing innovative products and solutions. Whether you’re a seasoned professional or an aspiring enthusiast, RMISC provides unparalleled opportunities for learning, networking, and growth within a vibrant cybersecurity community.
Don’t miss out on RMISC—the cornerstone event for staying ahead in today’s rapidly evolving cybersecurity landscape.
Dates: June 11-13, 2024
Location: Denver, CO
Contact: marketingevents@adlumin.com
Join Adlumin at the 6th Annual Rocky Mountain Technology Summit on Tuesday, May 21st, 2024, at the Crowne Plaza Denver Airport Convention Center (15500 E 40th Avenue, Denver, CO 80239) from 8 am to 4 pm.
This B2B event caters to the Technology and Security community, including IT/IS Executives and Direct reports from various verticals across Colorado. Attend to network, learn, advance your career, and explore purchasing opportunities.
Gain valuable insights and connections to navigate the dynamic landscape of technology trends effectively.
Dates: May 21, 2024
Location: Denver, CO
Contact: marketingevents@adlumin.com
The Adlumin team recently investigated a security incident in which a malicious actor(s) successfully managed to gain unauthorized access to a company’s networks by completely bypassing Duo, a popular zero-trust security solution used by hundreds of organizations worldwide.
The incident occurred in early February 2024 when threat actor(s) used two compromised sets of email credentials to log in remotely to the targeted company’s network from servers with IP addresses registered to Russia and Brazil. Subsequently, the company’s security tools, including Adlumin, generated several alerts for malicious activity detected within the network. This activity included credential brute forcing attempts, attacks against Microsoft Active Directory and Kerberos, and the use of Netscan to enumerate endpoints and servers.
Security teams responded to the alerts and successfully halted and locked out the threat actors before they could inflict more harm on the network, but questions remained as to why Duo’s two-factor authentication (2FA) was not prompted to verify the legitimacy of the login sessions which would have protected against compromised credential-based attacks.
The Adlumin investigation revealed that the two compromised email accounts used by the threat actor(s) were stale accounts which had been mistakenly configured with a policy that allows for unenrolled or partially enrolled users to authenticate into their network without 2FA.
According to Duo’s online documentation (last updated on Jan. 29, 2024), a “New User Policy” to allow access without 2FA, does not prompt users to complete enrollment and they are granted access without two-factor authentication.1
This type of user policy is made available to organizations for several reasons, including facilitating a gradual rollout of 2FA within the organization or a slow adoption of new zero-trust practices. However, it remains important to monitor events generated by users that bypass 2FA. Duo does offer such a monitoring feature to companies using Duo Premier, Duo Advantage, and Duo Essentials Plan.
With any 2FA solution, it’s important to consider the risks of enabling or using user policies that bypass it in any scope. Bypassing 2FA for certain users or scenarios reduces the overall security posture of the system and network. It can create fringe but exploitable instances where authentication relies solely on a single factor (e.g., username and password) that may be more susceptible to compromise – which was the case in the security incident investigated by Adlumin.
When users are not required to use 2FA, there is an increased vulnerability window. Attackers may exploit this period, especially if users with reduced authentication factors can enable access to sensitive information or critical systems.
In its online documentation, Duo does warn account owners and administrators who configure login access to remember that users with bypass status are not subject to restrictions and can bypass Duo authentication entirely.2
To protect against similar attacks at organizations that use Duo or other zero-trust solutions, Adlumin recommends that companies and organizations ensure user access policies are correctly configured and consider the security risks that come with allowing some users to bypass 2FA.
Organizations can avoid or reduce their exposure to an attack by practicing good account hygiene. This includes routinely conducting account reviews to identify and deactivate accounts that are no longer needed, establishing efficient communication between IT departments and human resources when employees leave an organization, and automating account provisioning and deprovisioning processes.
References:
[1] https://duo.com/docs/policy#new-user-policy
[2] https://duo.com/docs/policy#overview
Join Adlumin during the Texas Technology Summit caters to the Technology and Security community, drawing IT/IS Executives and Direct reports from various verticals across Texas. Whether you’re seeking networking opportunities, conducting research, advancing your career, or making strategic purchases, this summit is for you. Equip your company with the necessary tools and connections to navigate the dynamic landscape of evolving technology trends.
Date: March 19, 2024
Location: Houston, TX
Contact: marketingevents@adlumin.com